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1. REAL PARTY IN INTEREST 

The real party in interest is assignee Check Point Software Technologies, Inc. 
located at 800 Bridge Parkway, Redwood City, CA 94065. 

2. RELATED APPEALS AND INTERFERENCES 

There are no appeals or interferences known to Appellant, the Appellant's legal 
representative, or assignee which will directly affect or be directly affected by or have a 
bearing on the Board's decision in the pending appeal. 

3. STATUS OF CLAIMS 

Claims 1-64 are pending in the subject application and are the subject of this 
appeal. An appendix setting forth the claims involved in the appeal is included as the last 
section of this brief. 

4. STATUS OF AMENDMENTS 

One Amendment has been filed in this case. Appellant mailed an Amendment on 
March 2, 2005, in response to a non-final Office Action dated December 2, 2004. In the 
Amendment, the pending claims were amended in a manner which Appellant believes 
clearly distinguished the claimed invention over the art of record, for overcoming the art 
rejections. In response to the Examiner's Final Rejection dated April 2, 2005, Appellant 
filed a Request for Reconsideration. In response to the Examiner's Advisory Action 
mailed June 23,2005, Appellant filed a Notice of Appeal. Appellant has chosen to forgo 
filing an Amendment After Final which might further limit Appellant's claims, as it is 
believed that further amendments to the claims are not warranted in view of the art. 
Accordingly, no Amendments have been entered in this case after the date of the Final 
Rejection. 

5. SUMMARY OF INVENTION 

Appellant's invention comprises a system providing for a security component on 

3 
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client premises equipment (e.g., a router) to check compliance of a client computer with 
an access policy before permitting the computer to access the Internet (e.g., Appellant's 
specification, page 19, lines 22-27). Appellant's system delegates a portion of the overall 
operation of a security solution to a local piece of client premises equipment which 
enforces compliance by client computers with an access policy governing Internet access 
(e.g., Appellant's specification, page 19, lines 19-27), Every few seconds a security 
component of the present invention on client premises equipment (e.g., Fig. 3 at 310, 
311) sends a communication referred to as a "router challenge" to computers on the local 
network (e.g., Appellant's specification, page 20, lines 23-24; Fig. 3 at 320, 330, 340). 
The router challenge requests a response from the local computers (Appellant's 
specification, page 20, lines 24-25). At the local computers, a client-side security 
component of the present invention prepares and returns a response to the router 
challenge (e.g., Appellant's specification, page 25, lines 19-22, Fig. 3 at 321, 341), The 
responses to the router challenge that are received (if any) are stored in the router 
compliance table (e.g., Appellant's specification, page 21, lines 10-12; Fig. 3 at 3 12). 

Each time the client premises equipment receives a request to connect to the 
Internet from a particular computer, its security component determines evaluates the 
responses in the router compliance table to determine whether or not the particular 
computer properly responded to the most recent router challenge (e.g., Appellant's 
specification, page 21, lines 12-15; Fig. 3 at 31 1, 312). If the computer properly 
responded to the challenge and was determined to be in compliance with the access 
policy, then the security component on the client premises equipment permits the 
computer to access the Internet (e.g., Appellant's specification, page 21 , lines 1 5-1 8). 
However, if the computer did not answer the router challenge or responded with 
information indicating that it was not in compliance with the access policy, then it is not 
allowed to connect to the Internet (e.g., Appellant's specification, page 21, lines 19-26). 
Instead, the non-compliant computer is redirected to a "sandbox" server to address the 
non-compliance (e.g., Appellant's specification, page 21, lines 26-30; Fig. 3 at 3 13, 330, 
360). The non-compliant computer is only permitted to connect to the sandbox server for 
performing a defined set of tasks and all other Internet access by the non-compliant 

4 
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computer is disabled (e.g., Appellant's specification, page 21, lines 28-30). 
6. ISSUES 

The issues presented on appeal are: (1) whether claims 1, 3-6, 8, 1 1, 12, 17, 21, 
45, 46, 47, 48-5 1, 55 and 57 are unpatentable under 35 U.S.C. 102(e) as being anticipated 
by U.S. Patent No. 6,463,474 Bl issued to Fuh et al. (hereinafter "Fuh"); (2) whether 
claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, and 58-60 are unpatentable under 35 
U.S.C. 103(a) as being obvious over Fuh; (3) whether claims 22-25, 27-37, 39, 40, and 
42-44 are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view of U.S. 
Patent No. 5,761,683 to Logan et al. (hereinafter "Logan"); (4) whether claims 26 and 41 
are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view of Logan, 
further in view of U.S. Patent No. 6,026,440 to Shrader et al. (hereinafter "Shrader"); (5) 
whether claim 61 is unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in 
view of US Patent No. 6,542,933 to Durst, Jr. et al. (hereinafter "Durst"); and (6) whether 
claims 62-64 are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view 
of Durst, and further in view of Shrader. 



7. GROUPING OF CLAIMS 

For purposes of this appeal, Appellant believes that the following groups of 
claims are separately patentable under Sections 102 and 103. Thus, the claims do not 
stand or fall together with respect to the rejections under Sections 102 and 103 but are 
instead grouped as follows: 

Croup 1: claims 1, 3-6, 8, 11, 12, 17, 21, 45, 46, 47, 48-51, 55 and 57 

Group II: claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, 58-60 

Group HI: claims 22-25, 27-37, 39, 40, and 42-44 

Group IV: claims 26 and 4 1 

Group V: claim 61 

Group VI: claims 62-64 
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(The reasoning supporting separate patentability of the above groups is set forth in 
detail below, in the Argument section.) 

8. ARGUMENT 

A. Rejection under 35 U.S.C. Section 102(e) 

1. General 

. Under Section 102, a claim is anticipated only if each and every element as set 
forth in the claim is found, either expressly or inherently described, in the single prior art 
reference. (See, e.g., MPEP Section 2131.) As will be shown below, the reference fails 
to teach each and every element set forth in claim 1 , as well as other claims, and therefore 
fails to establish anticipation of the claimed invention under Section 102. 

2. Group 1 claims 

Claims 1, 3-6, 8, 11, 12, 17, 21, 45, 46, 47, 48-51, 55 and 57 stand rejected under 
35 U.S.C. 102(e) as being anticipated by U.S. Patent No. 6,463,474 Bl issued to Fuh et 
al. (hereinafter "Fuh"). Initially, it should be noted that the Examiner has not included 
claims 9 and 22 in the list of claims rejected as anticipated by Fuh at paragraph 2 at page 
2 of the Office Action mailed April 7, 2005 (hereinafter "Second Office Action"). 
However, it will be assumed that the Examiner meant to include claims 9 and 22 in this 
list of claims rejected as anticipated by Fuh as the Examiner has so indicated at paragraph 
6 at page 6 and at paragraph 2 at page 4 of the Second Office Action, respectively. 

The following rejection of Appellants claim I by the Examiner is representative 
of the Examiner's rejection of the Appellant's claims of this group as being anticipated by 
Fuh: 

With respect to claim 1, Fuh et al discloses; In a system comprising one or more 
client computers connected to the Internet by client premises equipment serving a 
routing function for client computers (figure 3 item #306, item #2 10, item #216), 
a method for managing Internet access based on a specified access policy (see 
abstract), the method comprising: transmitting a challenge from said client 
premises equipment to each client computer (figure 4 item #403), for determining 
whether a given client computer is in compliance with said specified access 

6 
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policy; transmitting a response from at least one client computer back to said 
client premises equipment, for responding to said challenge that has been issued 
(figure 4 item #404); and blocking Internet access for any client computer that 
does not respond appropriately to said challenge (figure 7A block #707). 

(Second Office Action, paragraph 2, page 2) 

As noted above, a claim is anticipated only if each and every element as set forth 
in the claim is found, either expressly or inherently described, in the single prior art 
reference. As will be shown below, Fuh fails to teach each and every element set forth in 
claims 1 and 45 (as well as other claims) and therefore fails to establish anticipation of 
the claimed invention under Section 102. 

The Examiner equates Fuh's firewall router which authenticates users with 
Appellant's security system which provides for client premises equipment (e.g., a router) 
to regulate access to the Internet by client computers based on an access policy. At the 
outset, Appellant does not claim to have invented the notion of authenticating a user at a 
router. To be sure, at a high level both Fuh's system and Appellant's invention involve 
routers (or other similar client premises equipment). However, Appellant's claimed 
invention includes specific elements that distinguish it from Fuh's system. As described 
below, Fuh's system decides whether to authenticate a user for access to particular 
resources (e.g., an intranet) based on user login information, while Appellant's security 
system serves a different purpose in enforcing compliance by client computers with an 
access policy governing Internet access by the client computers. In Appellant's system, 
for example, the access policy may specify which particular applications are allowed 
Internet access, thereby allowing users (including administrators) to block spyware and 
other malware from accessing the Internet from a given client machine (thereby 
preventing the transmission of confidential or sensitive information from the client 
computer (e.g., desktop computer, laptop, or the like) to third party perpetrators on the 
Internet). These and other differences between Appellant's invention and Fuh's system 
become apparent when the elements of Appellant's claims are compared to the specific 
teachings of Fuh cited by the Examiner. 

As a first example, the Examiner references Fuh's abstract for the teaching of "a 
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method for managing internet access based on a specified access policy" as stated in 
Appellant's claim 1 . However, Fuh's abstract describes a router that intercepts traffic 
from a client directed towards a network resource for purposes of authenticating the client 
(i.e., user) at the router. It does not describe an access policy for managing Internet 
access by client computers. The Examiner also references Fuh at col 6, lines 1-5 for the 
teaching of the comparable element of Appellant's claim 45 of "an access policy 
governing Internet access by client computers". However, this portion of Fuh reads as 
follows: 

...the invention encompasses a computer system for controlling access of a client 
to a network resource using a network device that is logically interposed between 
the client and the network resource, comprising ,.. creating and storing client 
authorization information at the network device, wherein the client authorization 
information comprises information indicating whether the client is authorized to 
communicate with the network resource and what access privileges the client is 
authorized to have with the network resource . 

(Fuh ? col 5, line 58 - col. 6 3 line 5, emphasis added) 

Fuh's authentication proxy is implemented at a firewall router which protects a 
particular network resource from access by external user(s). Fuh's system is focused on 
protecting this particular resource (e.g., server on an intranet serving a given 
organization). If an external user seeking to access the particular network resource is 
authenticated by Fuh's system, then the system also indicates what access privileges the 
user is authorized to have with the particular network resource. The "access privileges" 
that are given to users by Fuh's system relate to the particular network resource. 

Appellant's access policy, in contrast, relates to Internet access by client 
computers and not to a particular network resource. Another significant difference is that 
Fuh's "access privileges" for "user profile"^ are applied to a particular user after the 
decision about whether or not to authenticate the particular user for access to the network 
resource is made (Fuh, col. 7, lines 56-58). This is not Appellant's approach. Appellant's 
access policy is not applied after the decision to permit access is made. Instead, 
A ppellant's system examines compliance with the access policy in making the decision 

8 
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about whether to nermit accftaa For these reasons, Fuh's access privileges are not 
comparable to Appellant's claim element of "managing Internet access based on a 
specified access policy" which governs Internet access by client computers. 

Another major difference between the system of Fuh and that of Appellant is that 
the "challenge" issued by Fuh's system requests login information for authentication of a 

iiner . Appellant's invention, in contrast, issues a challenge to a client computer £qj: 
determining whether the client computer is in compliance with the Ab ove-described 
access policy governing Internet access by client computers . The Examiner references 
the element 403 at Fig. 4 of Fuh for the teaching of determining whether a client 
computer is in compliance with an access policy. However, the following description of 
this element 403 in the Fuh reference clearly indicates that the purpose of this "challenge" 
is to obtain user login information: 

Referring again to FIG. 7B, after the new authentication cache is created, login 
information is requested from the client, as shown in block 724. For example, 
Authentication Proxy 400 obtains authentication information from User 302 by 
sending a login form to client 306. The login form is an electronic document 
that requests User 302 to enter username and password information- as 

shown by path 403. 

(Fuh, col. I I, lines 49-55) 

As illustrated above, Fuh's system is focused on authenticating a user based on 
login information (e.g., username and password), rather than based on compliance of the 
client computer with an access policy governing Internet access. The "challenge" issued 
by Fuh's authentication proxy requests a user to enter a username and password in a login 
form. Fuh's system determines whether or not to permit remote access to particular 
resources (e.g., intranet) based on this user login information. If the login information 
supplied by the user is correct and the authentication process is successful, access is 
permitted and the authentication cache is updated so that subsequent requests can 
authenticate at the firewall router without consulting a separate authentication server 
(Fuh, col. 12, lines 38-47). 

Unlike Fuh's system, Appellant's inygntipn <fogg nfl permit pr frlpgk rgq^stS f<?r 
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access based on user login information . Instead, A ppellnnt's system determines 
whether a given client computer is in cnmplinnce with the specified access policy 

governing Internet access . If the client computer is not in compliance with the access 
policy, Appellant's invention blocks access to the Internet. These features are specifically 
described in Appellant's claims, including, for example, in Appellant's claim 1 which 
includes the following claim limitations: 

L In a system comprising one or more client computers connected to the Internet 
fry client prgmiftefi equipment $$ry\r\f> a r^inR faction for client computer, a 
method fpr managing Internet flCC^S Spiffed fifteen WYw, the 

method comprising; 

transmitting a challenge from said client premises equipment to each client 

computer, for determining whether a given client computer is in compliance 

with s ai d s pecifi ed a cce s s poli c y; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 
blocking Internet access for anv client computer that does not respond 
annronriatelv to said challenge. 

(Appellant's claim 1, emphasis added) 

As shown above, Appellant's invention provides for client premises equipment to 
regulate access to the Internet by client computers. The decision about whether to allow 
Internet access by a given computer is based on compliance by the given computer with 
the above-described access policy. This is different than Fuh's approach which teaches 
authenticating a user for access based on login information (e.g., user name and 
password) supplied by the user. 

Another difference between Appellant's approach and that of Fuh is that 
Appellant's system provides for blocking access by the client computer to the Internet, 
while Fuh's system focuses on blocking external access to particular resources (e.g., an 
intranet server). Fuh's system is implemented in a firewall router which provides for 
examining incoming attempts from external sources to access a particular network 
resource (e.g., server on intranet). Appellant's invention, in contrast, provides for local 
client premises equipment to enforce compliance by client computers with the access 
policy governing Internet access. This is specifically indicated in Appellant's claim I 

10 
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which includes the following claim limitations: 

In a system comprising one or more client computers connected to the Internet by 
client premises equipment serving a routing function for client computers, a 
method for managing Internet access based on a specified access policy, the 
method comprising: 

tfflqumittintt a Chalice ffriq sait* rifont WffnfrW WHipmOTt tP gftgh rifcffl 
COTWtff ■ for drtgrmjninK vytofofflT a ffiYW Ctignt COTPHtW li »B WmpJiifflgB witfr 
said specified access policy : 

(Appellant's claim 1, emphasis added). 

The Examiner references Fig. 3, item 210 and the login arrow 402 shown at Fig. 4 
of Fuh for the corresponding teaching of client premises equipment serving a routing 
function for each client computer to be regulated which issues a challenge to client 
computers. However, Fuh instead describes a firewall router which regulates remote 
access to particular resources (i.e., the intranet 216) as illustrated by the following: 

The firewall router 210 is coupled to intranet 216, and an authentication and 
authorization server 218 ("AAA server"). The firewall renter 210 controls remote 
access to intranet 216 . 

(Fuh, col. 8, lines 25-28, emphasis added) 

As shown at Fig. 2, in Fuh f s system the LAN 206 and intranet 216 are located in 
logically distinct regions (Fuh 7 Fig. 2). The LAN 206 is located in a first region 202 and 
the intranet 216 is located in the second region 204, which may be geographically 
separate (Fuh col. 8, lines 14-19). Appellant's invention, in contrast, provides for the 
access policy governing Internet access by client computers to be enforced by client 
premises equipment serving a routing function for the client computers that are being 
regulated, such as a router on the local LAN. If a given client computer is not in 
compliance with the access policy, access to the Internet by the client computer is 
regulated (i.e., selectively blocked). These limitations of client premises equipment 
regulating Internet access by a client computer based on whether the client computer is in 
compliance with an access policy are also recited in Appellant's claim 45, as follows: 
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A system for regulating Internet access by client computers comprising: 

an access policy governing Internet access by said client computers : 
client premises equipment serving a routing function for each client computer to 
be regulated and capable of issuing a challenge to each client computer, flu 
rititiirmining whether a given client enmputef is in cnmplinncft with naid 

access policy : 

an enforcement module for selectively blocking Internet access to the Internet to 

client computers not in compliance with said access policy. 
(Appellant's claim 45, emphasis added) 

Additional distinctions between Appellant's invention and that of Fuh are 
illustrated in Appellant's dependent claims. For example, Appellant's claim 12 includes 
the following claim limitations: 

The method of claim 1, wherein said access policy specifies applications that are 
allowed Internet access. 

(Appellant's claim 12) 

As shown above, Appellant's claimed approach involves an access policy which 
specifies particular applications which are allowed Internet access. Appellant's claims 1 1 
and 55 also include similar claim limitations. The Examiner references Fuh at column 7, 
lines 56-58 for the teaching of an access policy specifying applications that are allowed 
Internet access. However, the referenced portion of Fuh reads as follows: 

If theusemame is successfully authenticated , then the firewall is dynamically 
configured to open a passageway for the HTTP packets as well as other types of 
network traffic initiated from the user on the client. The other types of network 
traffic that are permitted through the passageway are specified in a user profile for 
that particular user 

(Fuh, col. 7, lines 56-58, emphasis added) 

As described above, Fuh's system receives identity information (e.g., username 
and password) for authenticating a user, After the user's identity is authenticated, Fuh's 
system permits particular types of network traffic initiated bv that particular user which 
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are specified in the user's profile. The Examiner states that Fuh's "user profile" for a 
"particular user" is equivalent to Appellant's claim limitations of an access policy 
regulating access to the Internet by client computers which specifies applications allowed 
to access the Internet. However, the teachings of Fuh referenced by the Examiner 
indicate that Fuh's system decides whether or not to authenticate a user based on user 
login information and without examination of applications on the client computer. As 
previously described, the user profile (or access privileges) are applied by Fuh's system 
only after the decision about whether to permit access is made (i.e., after the user is 
authenticated). This is not Appellant's claimed approach. Appellant's claimed approach 
provides for determining whether or not to permit Internet access based on compliance 
with an access policy which specifies particular applications which are approved for 
Internet access . Appellant's approach provides for making the decision about whether or 
not to permit access based on the access policy. This is not the same as applying a profile 
or set of privileges to a user after the decision to permit access to the user has been made. 

All told, Fuh's system is distinguishable from that of Appellant on several grounds 
which are specifically included as claim limitations of Appellant's claims 1 and 45 and 
other dependent claims thereof. As described above, Fuh provides no teaching 
comparable to Appellant's claim limitations of an access policy governing Internet access 
by client computers. Significantly, Fuh's firewall router provides for determining whether 
or not to authenticate a user for access to particular network resources based on user login 
information. In contrast. Appellant's invention regulates Internet access based on whether 
or not a client computer attempting Internet access is in compliance with the specified 
access policy. The policy itself may include specific rules governing access (e.g., rules 
specifying particular applications that are approved for Internet access). Such features 
cannot be reproduced with the teachings of Fuh. As Fuh does not teach or suggest all of 
the claim limitations of Appellant's independent claims I and 45 (and other dependent 
claims thereof) it is respectfully submitted that the claims distinguish over this reference 
and that the Examiner's rejection under Section 102 should not be sustained. 
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B. Rejections under 35 U.S.C. Section 103(a) 

1. General 

Under Section 103(a), a patent may not be obtained if the differences between the 
subject matter sought to be patented and the prior art are such that the subject matter as a 
whole would have been obvious at the time the invention was made to a person having 
ordinary skill in the art to which the subject matter pertains. To establish a prima facie 
case of obviousness under this section, the Examiner must establish: (1) that there is 
some suggestion or motivation, either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art, to modify the reference or to 
combine reference teachings, (2) that there is a reasonable expectation of success, and (3) 
that the prior art reference (or references when combined) must teach or suggest all the 
claim limitations. (See e.g., MPEP 21 42). The references cited by the Examiner fail to 
meet these conditions. 

2. Group 11 claims 

The Examiner has rejected claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, and 
58-60 under 35 U.S.C. 103(a) as being obvious over Fuh. It should be noted that the 
Examiner has previously rejected claims 47 and 55 as being anticipated by Fuh under 
Section 102 (Second Office Action, paragraph 2 at page 5 and paragraph 4 at page 5), 
and has also mentioned rejecting these claims as being obvious over Fuh under Section 
103(a) (Second Office Action, paragraph 8 at page 6 and paragraph 12 at page 9). It will 
be assumed that the Examiner meant to reject claims 47 and 55 as anticipated by Fuh 
under Section 102. 

As to the claims of this group rejected as obvious over Fuh, the Examiner 
acknowledges that Fuh does not explicitly disclose elements of these claims, but states 
that the elements not explicitly disclosed in Fuh would have been obvious to one 
ordinarily skilled in the art. The Examinees rejection of Appellant's claims 13-16 as 
follows is representative of the Examiner's rejection of Appellant's claims as obvious over 
Fuh: 

14 
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As per claims 13-16, Fuh et al does not explicitly disclose: application are 
specified by executable name and version number, application are specified by 
digital signatures, digital signatures are computed using a cryptographic hash and 
wherein said cryptographic hash comprises a selected one of Secure Hash 
Algorithm (SHA-1) and MDS cryptographic hashes, however it would have been 
obvious to the one of ordinary skill in the art to use the above specified elements 
because it would have allowed a router to make a correct decision (block or 
permit) by comparing executable names and securely transfer the data to the 
destination. 

(Second Office Action, paragraph 14) 

Claims 2, 7, 1 0, 1 3-1 6, 1 8-19, 20, 47, 52-54, 56, 58-60 are dependent upon 
Appellant's independent claims 1 and 45 and therefore are believed to be allowable for at 
least the reasons cited above pertaining to the deficiencies of "Fuh in respect to Appellant's 
invention. As described above, Fuh does not teach client premises equipment issuing 
challenges to client computers for determining compliance of such client computers with 
an access policy governing Internet access. The claims are believed to be patentable for 
the following additional reasons. 

Appellant's claim 12 includes limitations providing that an access policy 
governing Internet access by client computers specifies particular applications which are 
approved for Internet access. The limitations of claim 13 further provide that that access 
policy specifies not only those applications approved for Internet access, but also 
specifies particular executable names and version numbers of the applications approved 
for Internet access. The Examiner acknowledges that Fuh does not provide the specific 
teaching of an access policy in which applications approved for Internet access are 
"specified by executable name and version number that are acceptable" as provided in 
Appellant's claim 13, but states that "it would have been obvious to the one of ordinary 
skill in the art to use the above specified elements because it would have allowed a router 
to make a correct decision (block or permit) by comparing executable names and securely 
transfer the data to the destination" (Second Office Action, paragraph 8, page 8). 
However, as described above, Fuh teaches that the decision about whether or not to 
permit access is based on user login information (e.g., user name and password). Thus, 
examining the executable name and version number of an application is inconsistent with 
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Fuh's approach as Fuh's system decides whether to authenticate a user and permit access 
on the basis of user login information. Appellants system, in contrast, makes the 
decision about whether or not to permit access based on compliance with the access 
policy. The access policy, in turn, may specify executable names and version numbers of 
applications which are allowed Internet access. 

If anything, Fuh's described approach of making the decision about whether to 
permit access to a particular user based on user login information teaches away from that 
adopted by Appellant, For the reasons stated, it is respectfully submitted that Appellant's 
claims of this group distinguish over the prior art and that the Examiner's rejection under 
Section 103 should not be sustained. 

3, Group TTT claims 

The Examiner has rejected claims 22-25, 27-37, 39, 40, and 42-44 under 35 
U.S.C. 1 03(a) as being obvious over Fuh in view of U.S. Patent No. 5,761 ,683 to Logan 
et aL (hereinafter "Logan"). In addition, the Examiner has rejected claim 38 in paragraph . 
3 1 at page 12 of the Second Office Action; however, the Examiner has not specifically 
included claim 38 in the list of claims rejected as obvious based on Fuh in view of Logan. 
It is assumed that claim 38 is rejected as being obvious over Fuh in view of Logan. 

As to the claims of this group, the Examiner acknowledges that Fuh does not 
explicitly disclose the elements of redirecting a client computer that is not in compliance 
with the access policy to a sandbox server and adds Logan for the teachings of redirecting 
a client computer not in compliance with an access policy to a particular sandbox server 
and di splaying particular error message pages on the sandbox server in response to 
communications on particular ports (Second Office Action, paragraph 17, pages 9-10). 

Claims 22-25, 27-37, 38, 39, 40, and 42-44 are believed to be allowable for at 
least the reasons cited above pertaining to the deficiencies of Fuh in respect to Appellant's 
invention. As described above, Fuh teaches authenticating a user based on user login 
information and not examining compliance by a client computer with an access policy. 
Logan does not cure the above-described deficiencies of Fuh as it provides no teaching of 
client premises equipment which monitors and enforces compliance by client computers 
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an access policy governing Internet access. Furthermore, Appellant's review of Logan 
finds that it does not include the specific limitations set forth in Appellant's claims of 
redirecting a client determined not to be in compliance with the access policy to a 
"sandbox" server. These limitations are, for example, provided in Appellant's claim 24 as 
follows: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with 
said specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment, for responding to said challenge that has been issued; and 
redirecting a request for Tntemet access by any client computer that does not 
respond appropriately to sai d challen ge to a s an d box s erv er, 

(Appellant's claim 24, emphasis added) 

The Examiner references Logan at column 19, lines 63-67 for the teaching of 
redirecting a URL request to a remote server and Logan at column 7, lines 41-48 for 
display of an error message to indicate to a user that a request did not succeed. The 
referenced portions of Logan cited by the Examiner simply discuss conventional steps of 
handling requests for remotely stored documents by redirecting certain requests to 
retrieve locally stored copies and sending other requests to a remote web server(s). 
Logan's system provides for returning either the information (e.g., HTML document, 
graphical image, FTP file, or other displayable data) or an error message if the attempt to 
obtain the information does not succeed (Logan, column 7, lines 41-48). This does not 
teach anything analogous to Appellant's claimed approach of redirecting a client 
computer determined not to be in compliance with the access policy to a particular 
"sandbox server" as provided in Appellant's claims. As the combined references do not 
teach or suggest all of the claim limitations of Appellant's claims, it is respectfully 
submitted that the claims distinguish over these references and that the rejection under 
Section 103 is improper, 
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4. Group IV claims 

The Examiner has rejected claims 26 and 41 under 35 U.S.C. 103(a) as being 
obvious over Fuh in view of Logan, further in view of U.S. Patent No. 6,026,440 to 
Shrader et al. (hereinafter "Shrader"). The Examiner acknowledges that Fuh and Logan 
do not explicitly disclose the element of permitting a client computer to elect to access 
the Internet after displaying error messages, but adds Shrader (col, 4, lines 56-57) for the 
teaching of "returning an error message (e.g., Unauthorized) to the browser and 
prompting the user for id and password" (Second Office Action, paragraph 1 8, page 1 1). 

Claims 26 and 41, which incorporate the limitations of Appellants independent 
claims, are believed to be allowable for at least the reasons cited above pertaining to the 
deficiencies of Fuh and Logan in respect to Appellant's invention. Shrader does not cure 
the above-described deficiencies of Fuh and Logan, The referenced portion of Shrader 
simply provides that a check is made for credentials of a user and, if the user does not 
have appropriate credentials, Shrader's system returns an error message and requests 
username and password from the user. In other words, Shrader's system requires the user 
to resubmit the credentials and denies access until the proper credentials are received. 
This does not teach Appellant's claim limitations of client premises equipment which 
evaluates and enforces compliance by client computers with an access policy, nor does it 
provide the specific teaching of Appellant's claims 26 and 41 of permitting a client 
computer not in compliance with the access policy to elect to proceed with Internet access 
notwithstanding the failure to comply with the access policy. As the combined references 
do not teach or suggest all of the limitations of Appellant's claims, it is respectfully 
submitted that these claims distinguish over these references and overcome any rejection 
under Section 103. 

5. Group V claims 

The Examiner has rejected claim 61 under 35 U.S.C. 103(a) as being obvious over 
Fuh in view of US Patent No. 6,542,933 to Durst, Jr. et al. (hereinafter "Durst"). Claim 
61, is believed to be allowable for at least the reasons cited above pertaining to the 
deficiencies of Fuh in respect to Appellant's invention. Durst does not cure these 

18 
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deficiencies. The referenced portions of Durst simply discuss receiving a URL request at 
an information server and redirecting the request to a content server to receive a content 
file. Durst provides no teaching of issuing challenges for evaluating compliance of a 
client computer with an access policy or for redirecting client computers determined not 
to be in compliance with the access policy to a sandbox server as provided in Appellant's 
claims. As the combined references do not teach or suggest all of the limitations of 
Appellant's claims, it is respectfully submitted that these claims distinguish over these 
references and overcome any rejection under Section 1 03. 

6. Group VT claims 

The Examiner has rejected claims 62-64 under 35 U.S.C. 103(a) as being obvious 
over Fuh in view of Durst, further in view of Shrader. These claims, which incorporate 
the limitations of Appellant's independent claims, are believed to be allowable for at least 
the reasons cited above pertaining to the deficiencies of Fuh, Durst and Shrader in respect 
to Appellant's invention. Further, regarding motivation to combine these references, the 
Examiner glibly states the motivation to be providing "client computers to correct the 
network requests and authenticating again in order to access the Internet after being 
notified by a particular error." Although there is probably always some degree of 
"motivation" to generically combine multiple references to produce some sort of better 
result, the Examiner's analysis here appears to be simply conclusory hindsight, not a 
thoughtful analysis of motivation provided by the cited references themselves. To the 
extent that these references provide any sort of motivation to be combined in the manner 
suggested by the Examiner, such motivation cannot be gleaned from the Examiner's 
rejection. 

For the reasons stated, it is respectfully submitted that these claims distinguish 
over these references. Therefore, is requested that the Examiner's rejection under Section 
103 not be sustained. 

9. CONCLUSION 

The present invention greatly improves the ease and efficiency of the task of 

19 



PAGE 24/85 ' RCVD AT 9/12/2005 6:56:00 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-6/38 * DNIS:2738300 " CSID:1 815 572 8299 * DURATION (mm-ss):35-02 



Re: SN 09/944,057 From: John A. Smart 1 815 572 8269 



Date: 09/12/2005 Time: 3:55:48 PM 



Page 25 of 86 



managing Internet access, including preventing access by computers that do not conform 
to a security policy governing types of access permitted, which is currently in force (e.g., 
by a corporate IT department). It is respectfully submitted that the present invention, as 
set forth in the pending claims, sets forth a patentable advance over the art. 

In view of the above, it is respectfully submitted that the Examiner's rejections 
under 35 U.S.C. Sections 102 and 103 should not be sustained. If needed, Appellant's 
undersigned attorney can be reached at 408 884 1507. For the fee due for this Appeal 
Brief, please refer to the attached Fee Transmittal Sheet. This Brief is submitted in 
triplicate. 



Respectfully submitted, 



Date: September 9 y 2005 




John A. Smart; Reg. No. 34,929 
Attorney of Record 



408 884 1507 
815 572 8299 FAX 



PAGE 25/85 * RCVDAT 9/12/2005 6:56:00 PM [Eastern Daylight Time] " SVR:USPTO-EFXRF-6/38 ■ DNIS:2738300 • CSID:1 815 572 8299 ■ DURATION (mm-ss):35-02 



Re: SN 09/944,057 From: John A. Smart 1 615 572 8299 



Date: 09/12/2005 Time: 3:55:48 PM 



Page 28 of 86 



10. APPENDIX OF CLAIMS ON APPEAL 

1, (Original) in a system comprising one or more client computers connected to 
the Internet by client premises equipment serving a routing function for client computers, 
a method for managing Internet access based on a specified access policy, the method 
comprising: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with said 
specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 

blocking Internet access for any client computer that does not respond 
appropriately to said challenge. 

2, (Original) The method of claim 1, wherein a client computer that does not 
respond at all is blocked from Internet access. 

3, (Original) The method of claim I, wherein a client computer that responds with 
a particular predefined code indicating non-compliance is blocked from Internet access. 

4, (Original) The method of claim I , wherein a client computer that responds with 
a particular predefined code indicating compliance is permitted Internet access. 

5, (Original) The method of claim I % further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
equipment to transmit a challenge to that particular client computer. 

6, (Original) The method of claim 5, wherein said initial message comprises a 
"client hello" packet. 

7, (Original) The method of claim 1, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

8, (Original) The method of claim 1, wherein said access policy specifies rules 
that govern Internet access by the client computers. 

21 
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9. (Previously presented) The method of claim 8, wherein said step of blocking 
Internet access includes: 

determining whether permitting Internet access for a given client computer would 
violate any of said rules, and 

if permitting such Internet access would violate any of said rules, denying Internet 
access for that client computer. 

10. (Original) The method of claim 1, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof 

1 1 . (Original) The method of claim 1, wherein said access policy specifies which 
applications are allowed Internet access. 

12. (Original) The method of claim 1, wherein said access policy specifies 
applications that are allowed Internet access. 

13. (Original) The method of claim 12, wherein said applications are specified by 
executable name and version number that are acceptable. 

14. (Original) The method of claim 12, wherein said applications are specified by 
digital signatures that are acceptable. 

15. (Original) The method of claim 14, wherein said digital signatures are 
computed using a cryptographic hash. 

16. (Original) The method of claim 15 7 wherein said cryptographic hash 
comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic 
hashes. 

17. (Original) The method of claim 1, wherein said access policy specifies Internet 
access activities that are permitted or restricted for applications or versions thereof 

18. (Original) The method of claim 1, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location. 

19. (Original) The method of claim 1 8 wherein said remote location comprises a 
centralized location for maintaining said access policy, 

20. (Previously presented) The method of claim 1, wherein said step of blocking 
Internet access includes: 

determining based on identification of a particular client computer or group 
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thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

21. (Original) The method of claim 1, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

22. (Original) The method of claim 1, further comprising: 

redirecting a client computer that is not in compliance with said access policy to a 
sandbox server; and 

informing such client computer that it is<not in compliance with said access 

policy. 

23. (Original) The method of claim 22 further comprising: 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server; and 

displaying particular error message pages on the sandbox server in response to 
communications on particular ports. 

24. (Original) In a system comprising one or more client computers connected to 
the Internet by client premises equipment serving a routing function for client computers, 
a method for managing Internet access based on a specified access policy, the method 
comprising: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with said 
specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 

redirecting a request for Internet access by any client computer that does not 
respond appropriately to said challenge to a sandbox server. 

25. (Original) The method of claim 24, further comprising: 

displaying an error message on the sandbox server to any client computer that 
does not respond appropriately to said challenge. 

26. (Original) The method of claim 25, further comprising: 
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after display of such error message, permitting said client computer to elect to 
access the Internet. 

27. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating non-compliance is redirected to said sandbox 
server. 

28. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating compliance is permitted Internet access. 

29. (Original) The method of claim 24, further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
equipment to transmit a challenge to that particular client computer. 

30. (Original) The method of claim 29, wherein said initial message comprises a 
"client hello" packet. 

3 1 . (Original) The method of claim 24, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and redirecting other 
client computers to the sandbox server. 

32. (Original) The method of claim 24, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

33. (Original) The method of claim 24 ? wherein said access policy specifies which 
applications are allowed Internet access. 

34. (Original) The method of claim 24 7 wherein said access policy specifies 
executable names and version number of applications that are allowed Internet access. 

35. (Original) The method of claim 24, wherein said access policy specifies 
Internet access activities that are permitted or restricted for applications or versions 
thereof. 

36. (Original) The method of claim 24, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location, 

37. (Original) The method of claim 36, wherein said remote location comprises a 
centralized location for maintaining said access policy. 

38. (Previously presented) The method of claim 24, wherein said step of 
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redirecting a request for Internet access by a client computer includes: 

determining, based on identification of a particular client computer or group 
thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

39. (Original) The method of claim 24, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

40. (Original) The method of claim 24, further comprising: 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server; and 

displaying particular error messages on the sandbox server in response to 
communications on particular ports, 

41. (Original) The method of claim 24, further comprising: 

permitting client computers that are not in compliance with particular access 
policies to elect to access the Internet; and 

blocking computers that are not in compliance with other access policies from 
accessing the Internet. 

42. (Original) The method of claim 24, wherein said applications are specified by 
digital signatures which are acceptable. 

43* (Original) The method of claim 42, wherein said digital signatures are 
computed using a cryptographic hash. 

44. (Original) The method of claim 43 , wherein said cryptographic hash 
comprises a selected one of Secure Hash Algorithm (SHA- I) and MD5 cryptographic 
hashes. 

45. (Original) A system for regulating Internet access by client computers 
comprising: 

an access policy governing Internet access by said client computers; 

client premises equipment serving a routing function for each client computer to 
be regulated and capable of issuing a challenge to each client computer, for determining 
whether a given client computer is in compliance with said access policy; 
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one or more client computers which can connect to the Internet and at least one of 
which can respond to challenges issued by said client premises equipment; and 

an enforcement module for selectively blocking Internet access to the Internet to 
client computers not in compliance with said access policy. 

46. (Original) The system of claim 45, wherein said client premises equipment 
includes a router. 

47. (Original) The system of claim 45, wherein said access policy is provided at 
each client computer to be regulated. 

48. (Original) The system of claim 45, wherein said enforcement module is 
provided at said client premises equipment. 

49. (Previously presented) The system of claim 45, wherein said at least one client 
computer which can respond to challenges responds with a particular predefined code 
indicating noncompliance with said access policy and is blocked from Internet access. 

50. (Previously presented) The system of claim 45, wherein a client computer that 
responds with a particular predefined code indicating compliance with said access policy 
is permitted Internet access. 

5 1 . (Original) The system of claim 45, wherein at least one of the client computer 
is capable of transmitting an initial message to the client premises equipment before 
receipt of a challenge, for requesting the client premises equipment to transmit a 
challenge to that particular client computer. 

52. (Original) The system of claim 45, wherein said enforcement module is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

53. (Original) The system of claim 45, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

54. (Original) The system of claim 53, wherein said enforcement module is 
capable of determining, based on identification of a particular client computer or group 
thereof, a specific subset of said access policies filtered for that particular client computer 
or group thereof. 

55. (Original) The system of claim 45, wherein said access policy specifies 
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applications that are allowed Internet access. 

56. (Original) The system of claim 55, wherein said applications are specified by 
executable name and version number that are acceptable. 

57. (Original) The system of claim 55, wherein said access policy specifies types 
of activities which applications are allowed to perform or restricted from performing. 

58. (Original) The system of claim 55, wherein said applications are specified by 
digital signatures that are acceptable. 

59. (Original) The system of claim 58, wherein said digital signatures are 
computed using a cryptographic hash. 

60. (Original) The system of claim 59 t wherein said cryptographic hash comprises 
a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic hashes. 

61 . (Original) The system of claim 45, further comprising: 

a sandbox server to which client computers that are not in compliance with said 
access policy are redirected. 

62. (Original) The system of claim 61, wherein said sandbox server informs non- 
compliant client computers that they are not in compliance with said access policy. 

63. (Original) The system of claim 62, wherein said client computers client 
computers may elect to access the Internet after being informed that they are not in 
compliance with said access policy. 

64. (Original) The system of claim 61, wherein; 

said enforcement module is capable of redirecting a client computer that is not in 
compliance with a particular access policy to a particular port on the sandbox server; and 

said sandbox server is capable of displaying particular error message pages in 
response to communications on particular ports. 
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PATENT 

Docket No. VTV/0003.01 



TN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



Examiner: Divecha, Kamal B 
Art Unit: 2151 
APPEAL BRIEF 



Tn re application of: 
Gregor P. Freund et aL 

Serial No.: 09/944,057 

Filed: August 30, 2001 

For: System Providing Internet Access 
Management with Router-based Policy 
Enforcement 

Mail Stop Appeal 
Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Sir: 



BRIEF ON BEHALF OF GREGOR P. FREUND ET AL. 

This is an appeal from the Final Rejection mailed April 7, 2005, in which 
currently-pending claims 1-64 stand finally rejected. Appellant filed a Notice of Appeal 
on July 11, 2005 (as indicated by return of a confirmation postcard marked "OIPE JUL 1 1 
2005"). This brief is submitted in triplicate in support of Appellant's appeal. 
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1 . REAL PARTY IN INTEREST 

The real party in interest is assignee Check Point Software Technologies, Inc. 
located at 800 Bridge Parkway, Redwood City, CA 94065. 

2. RELATED APPEALS AND INTERFERENCES 

There are no appeals or interferences known to Appellant, the Appellant's legal 
representative, or assignee which will directly affect or be directly affected by or have a 
bearing on the Board's deci sion in the pending appeal . 

3. STATUS OF CLAIMS 

Claims 1-64 are pending in the subject application and are the subject of this 
appeal. An appendix setting forth the claims involved in the appeal is included as the last 
section of this brief. 

4. STATUS OF AMENDMENTS 

One Amendment has been filed in this case. Appellant mailed an Amendment on 
March 2, 2005, in response to a non-final Office Action dated December 2, 2004. In the 
Amendment^ the pending claims were amended in a manner which Appellant believes 
clearly distinguished the claimed invention over the art of record, for overcoming the art 
rejections. In response to the Examiner's Final Rejection dated April 2, 2005, Appellant 
filed a Request for Reconsideration. In response to the Examiner's Advisory Action 
mailed June 23,2005, Appellant filed a Notice of Appeal. Appellant has chosen to forgo 
filing an Amendment After Final which might further limit Appellant's claims, as it is 
believed that further amendments to the claims are not warranted in view of the art. 
Accordingly, no Amendments have been entered in this case after the date of the Final 
Rejection. 

e 

5. SUMMARY OF INVENTION 

Appellant's invention comprises a system providing for a security component on 
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client premises equipment (e.g., a router) to check compliance of a client computer with 
an access policy before permitting the computer to access the Internet (e.g., Appellant's 
specification, page 19, lines 22-27). Appellant's system delegates a portion of the overall 
operation of a security solution to a local piece of client premises equipment which 
enforces compliance by client computers with an access policy governing Internet access 
(e.g., Appellant's specification, page 19, lines 19-27). Every few seconds a security 
component of the present invention on client premises equipment (e.g., Fig. 3 at 310, 
311) sends a communication referred to as a "router challenge" to computers on the local 
network (e.g., Appellant's specification, page 20, lines 23-24; Fig. 3 at 320, 330, 340). 
The router challenge requests a response from the local computers (Appellant's 
specification, page 20, lines 24-25). At the local computers, a client-side security 
component of the present invention prepares and returns a response to the router 
challenge (e.g.. Appellant's specification, page 25, lines 19-22; Fig. 3 at 321, 341). The 
responses to the router challenge that are received (if any) are stored in the router 
compliance table (e.g., Appellant's specification, page 21, lines 10-12; Fig. 3 at 3 12). 

Each time the client premises equipment receives a request to connect to the 
Internet from a particular computer, its security component determines evaluates the 
responses in the router compliance table to determine whether or not the particular 
computer properly responded to the most recent router challenge (e.g., Appellant's 
specification, page 21, lines 12-15; Fig. 3 at 31 1, 312). If the computer properly 
responded to the challenge and was determined to be in compliance with the access 
policy, then the security component on the client premises equipment permits the 
computer to access the Internet (e.g,, Appellant's specification, page 21 , lines 1 5-1 8), 
However, if the computer did not answer the router challenge or responded with 
information indicating that it was not in compliance with the access policy, then it is not 
allowed to connect to the Internet (e.g., Appellant's specification, page21, lines 19-26). 
Instead, the non-compliant computer is redirected to a "sandbox" server to address the 
non-compliance (e.g., Appellant's specification, page 21, lines 26-30; Fig. 3 at 313, 330, 
360). The non-compliant computer is only permitted to connect to the sandbox server for 
performing a defined set of tasks and all other Internet access by the non-compliant 
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computer is disabled (e.g., Appellant's specification, page 21, lines 28-30). 

6. ISSUES 

The issues presented on appeal are: (1) whether claims 1, 3-6, 8, 11, 12, 17, 21, 
45, 46, 47, 48-5 1, 55 and 57 are unpatentable under 35 U.S.C. 102(e) as being anticipated 
by U.S. Patent No. 6,463,474 Bl issued to Fuh et al. (hereinafter "FulT); (2) whether 
claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, and 58-60 are unpatentable under 35 
U.S.C. 103(a) as being obvious over Fuh; (3) whether claims 22-25, 27-37, 39, 40, and 
42-44 are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view of U.S. 
Patent No. 5,761,683 to Logan et al. (hereinafter "Logan"); (4) whether claims 26 and 41 
are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view of Logan, 
further in view of U.S. Patent No. 6,026,440 to Shrader et al. (hereinafter "Shrader"); (5) 
whether claim 61 is unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in 
view of US Patent No. 6,542,933 to Durst, Jr. et al. (hereinafter "Durst"); and (6) whether 
claims 62-64 are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view 
of Durst, and further in view of Shrader. 

7. GROUPING OF CLATMS 

For purposes of this appeal, Appellant believes that the following groups of 
claims are separately patentable under Sections 102 and 103. Thus, the claims do not 
stand or fall together with respect to the rejections under Sections 102 and 103 but are 
instead grouped as follows: 

Group 1: claims 1, 3-6 7 8, 1 1, 12, 17, 21, 45, 46, 47, 48-51, 55 and 57 

Group II: claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, 58-60 

Group HI: claims 22-25, 27-37, 39, 40, and 42-44 

Group IV : claims 26 and 4 1 

Group V: claim 61 

Group VI: claims 62-64 
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(The reasoning supporting separate patentability of the above groups is set forth in 
detail below, in the Argument section.) 

8. ARGUMENT 

A. Rejection under 35 U.S.C. Section 102(e) 

1. General 

Under Section 102, a claim is anticipated only if each and every element as set 
forth in the claim is found, either expressly or inherently described, in the single prior art 
reference. (See, e.g., MPEP Section 2131.) As will be shown below, the reference fails 
to teach each and every element set forth in claim I , as well as other claims, and therefore 
fails to establish anticipation of the claimed invention under Section 102. 

2. Group 1 claims 

Claims 1, 3-6, 8, 11, 12, 17, 21, 45, 46, 47, 48-51, 55 and 57 stand rejected under 
35 U.S.C. 102(e) as being anticipated by U.S. Patent No. 6,463,474 Bl issued to Fuh et 
al. (hereinafter "Fuh"). Initially, it should be noted that the Examiner has not included 
claims 9 and 22 in the list of claims rejected as anticipated by Fuh at paragraph 2 at page 
2 of the Office Action mailed April 7, 2005 (hereinafter "Second Office Action"). 
However, it will be assumed that the Examiner meant to include claims 9 and 22 in this 
list of claims rejected as anticipated by Fuh as the Examiner has so indicated at paragraph 
6 at page 6 and at paragraph 2 at page 4 of the Second Office Action, respectively. 

The following rejection of Appellant's claim 1 by the Examiner is representative 
of the Examiner's rejection of the Appellant's claims of this group as being anticipated by 
Fuh: 

With respect to claim 1, Fuh et al discloses: In a system comprising one or more 
client computers connected to the Internet by client premises equipment serving a 
routing function for client computers (figure 3 item #306, item #2 10, item #216), 
a method for managing Internet access based on a specified access policy (see 
abstract), the method comprising: transmitting a challenge from said client 
premises equipment to each client computer (figure 4 item #403), for determining 
whether a given client computer is in compliance with said specified access 
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policy; transmitting a response from at least one client computer back to said 
client premises equipment, for responding to said challenge that has been issued 
(figure 4 item #404); and blocking Internet access for any client computer that 
does not respond appropriately to said challenge (figure 7 A block #707). 

(Second Office Action, paragraph 2, page 2) 

As noted above, a claim is anticipated only if each and every element as set forth 
in the claim is found, either expressly or inherently described, in the single prior art 
reference. As will be shown below, Fuh fails to teach each and every element set forth in 
claims 1 and 45 (as well as other claims) and therefore fails to establish anticipation of 
the claimed invention under Section 102. 

The Examiner equates Fuh's firewall router which authenticates users with 
Appellant's security system which provides for client premises equipment (e.g., a router) 
to regulate access to the Internet by client computers based on an access policy. At the 
outset, Appellant does not claim to have invented the notion of authenticating a user at a 
router. To be sure, at a high level both Fuh's system and Appellant's invention involve 
routers (or other similar client premises equipment). However, Appellant's claimed 
invention includes specific elements that distinguish it from Fuh's system. As described 
below, Fuh's system decides whether to authenticate a user for access to particular 
resources (e.g., an intranet) based on user login information, while Appellant's security 
system serves a different purpose in enforcing compliance by client computers with an 
access policy governing Internet access by the client computers. In Appellant's system, 
for example, the access policy may specify which particular applications are allowed 
Internet access, thereby allowing users (including administrators) to block spyware and 
other malware from accessing the Internet from a given client machine (thereby 
preventing the transmission of confidential or sensitive information from the client 
computer (e.g., desktop computer, laptop, or the like) to third party perpetrators on the 
Internet). These and other differences between Appellants invention and Fuh's system 
become apparent when the elements of Appellant's claims are compared to the specific 
teachings of Fuh cited by the Examiner. 

Asa first example, the Examiner references Fuh's abstract for the teaching of "a 
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method for managing Internet access based on a specified access policy" as stated in 
Appellant's claim 1 . However, Fuh's abstract describes a router that intercepts traffic 
from a client directed towards a network resource for purposes of authenticating the client 
(i.e., user) at the router. It does not describe an access policy for managing Internet 
access by client computers. The Examiner also references Fuh at col 6, lines 1-5 for the 
teaching of the comparable element of Appellant's claim 45 of "an access policy 
governing Internet access by client computers". However, this portion of Fuh reads as 
follows: 

...the invention encompasses a computer system for controlling access of a client 
to a network resource using a network device that is logically interposed between 
the client and the network resource, comprising ,.. creating and storing client 
authorization information at the network device, wherein the client authorization 
information comprises information indicating whether the client is authorized to 
communicate with the network resource and what access privileges the client is 
authorized to have with the network resource . 

(Fuh, col 5, line 58 - col. 6, line 5, emphasis added) 

Fuh's authentication proxy is implemented at a firewall router which protects a 
particular network resource from access by external user(s). Fuh's system is focused on 
protecting this particular resource (e.g., server on an intranet serving a given 
organization). If an external user seeking to access the particular network resource is 
authenticated by Fuh T s system, then the system also indicates what access privileges the 
user is authorized to have with the particular network resource. The "access privileges" 
that are given to users by Fuh's system relate to the particular network resource. 

Appellant's access policy, in contrast, relates to Internet access by client 
computers and not to a particular network resource. Another significant difference is that 
Fuh's "access privileges" for "user profile"^ are applied to a particular user after the 
decision about whether or not to authenticate the particular user for access to the network 
resource is made (Fuh, col. 7. lines 56-58). This is not Appellant's approach. Appellant's 
access policy is not applied after tfie decision to permit access is made. Instead, 
A ppellant's system examines compliance with the access policy in making the decision 

8 
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about whet her to per mit access . For these reasons, Fuh's access privileges are not 
comparable to Appellant's claim element of "managing Internet access based on a 
specified access policy" which governs Internet access by client computers. 

Another major difference between the system of Fuh and that of Appellant is that 
the "challenge" issued bv Fuh's system requests login information for authentication of a 
user . Appellant's invention, in contrast, issues a challenge to a client computer for 
determining whether the client computer is in compliance with the above-described 
access policy governing Internet access by client computers . The Examiner references 
the element 403 at Fig. 4 of Fuh for the teaching of determining whether a client 
computer is in compliance with an access policy. However, the following description of 
this element 403 in the Fuh reference clearly indicates that the purpose of this "challenge" 
is to obtain user login information: 

Referring again to FIG. 7B, after the new authentication cache is created, login 
information is requested from the client, as shown in block 724. For example, 
Authentication Proxy 400 obtains authentication information from User 302 by 
sending a login form to client 306. The login form is an electronic document 
that requests User 302 to enter username and password information, as 
shown hv path 403. 

(Fuh, col. 1 1, lines 49-55) 

As illustrated above, Fuh's system is focused on authenticating a user based on 
login information (e.g., username and password), rather than based on compliance of the 
client computer with an access policy governing Internet access. The ** challenge" issued 
by Fuh's authentication proxy requests a user to enter a username and password in a login 
form. Fuh's system determines whether or not to permit remote access to particular 
resources (e.g., intranet) based on this user login information. If the login information 
supplied by the user is correct and the authentication process is successful, access is 
permitted and the authentication cache is updated so that subsequent requests can 
authenticate at the firewall router without consulting a separate authentication server 
(Fuh, col. 12, lines 38-47). 

Unlike Fuh's system, Appellant's invention does not permit or block requests for 

9 
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access based on user login information . Instead, A ppellnnt'a system determines 
whether n given client computer is in complinnce with the specified access policy 
governing Internet access If the client computer is not in compliance with the access 
policy, Appellant's invention blocks access to the Internet. These features are specifically 
described in Appellant's claims, including, for example, in Appellant's claim 1 which 
includes the following claim limitations: 

L In a system comprising one or more client computers connected to the Internet 
bv client premises equipment serving a routing function for client computers, a 
method for managing Internet access based on a snecified access policy, the 
method comprising; 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance 
with said specified access policy ; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 
blocking Internet access for anv client computer that does not respond 
appropriately to said challenge. 

(Appellant's claim 1 , emphasis added) 

As shown above, Appellant's invention provides for client premises equipment to 
regulate access to the Internet by client computers. The decision about whether to allow 
Internet access by a given computer is based on compliance by the given computer with 
the above-described access policy. This is different than Fuh's approach which teaches 
authenticating a user for access based on login information (e.g., user name and 
password) supplied by the user. 

Another difference between Appellant's approach and that of Fuh is that 
Appellant's system provides for blocking access by the client computer to the Internet, 
while Fuh's system focuses on blocking external access to particular resources (e.g., an 
intranet server). Fuh's system is implemented in a firewall router which provides for 
examining incoming attempts from external sources to access a particular network 
resource (e.g., server on intranet). Appellant's invention, in contrast, provides for local 
client premises equipment to enforce compliance by client computers with the access 
policy governing Internet access. This is specifically indicated in Appellant's claim I 
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which includes the following claim limitations: 

In a system comprising one or more client computers connected to the Internet by 
client premises equipment serving a routing function for client computers, a 
method for managing Internet access based on a specified access policy, the 
method comprising: 

transmitting a ghallgntW from SiM gMt prcmigM ggyipn^qt tP g&rt cUcnt 
fipmputa, for dgtgrmininK wtofaflT a mm cliwt WrnptttW IS m ggmpliangg wirt 
said specified access policy ; 

(Appellant's claim 1, emphasis added). 

The Examiner references Fig. 3, item 210 and the login arrow 402 shown at Fig. 4 
of Fuh for the corresponding teaching of client premises equipment serving a routing 
function for each client computer to be regulated which issues a challenge to client 
computers. However, Fuh instead describes a firewall router which regulates remote 
access to particular resources (i.e., the intranet 216) as illustrated by the following: 

The firewall router 2 1 0 is coupled to intranet 216, and an authentication and 
authorization server 218 ("AAA server"). The firewall router 210 controls remote 
access to intranet 216. 

(Fuh, col. 8, lines 25-28, emphasis added) 

As shown at Fig. 2, in Fuh's system the LAN 206 and intranet 216 are located in 
logically distinct regions (Fuh ? Fig. 2). The LAN 206 is located in a first region 202 and 
the intranet 216 is located in the second region 204, which may be geographically 
separate (Fuh col. 8, lines 14-19). Appellant's invention, in contrast, provides for the 
access policy governing Internet access by client computers to be enforced by client 
premises equipment serving a routing function for the client computers that are being 
regulated, such as a router on the local LAN. If a given client computer is not in 
compliance with the access policy, access to the Internet by the client computer is 
regulated (i.e., selectively blocked). These limitations of client premises equipment 
regulating Internet access by a client computer based on whether the client computer is in 
compliance with an access policy are also recited in Appellant's claim 45, as follows: 

11 
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A system for regulating Internet access by client computers comprising: 

an access policy governing Internet access by said client computers : 
client premises equipment serving a routing function for each client computer to 
be regulated and capable of issuing a challenge to each client computer, for 
determining whether a given client computer 8s in compliant* with said 

BMttss policy; 

an enforcement module for selectively blocking Internet access to the Internet to 

client computers not in compliance vnth said access policy. 
(Appellant's claim 45, emphasis added) 

Additional distinctions between Appellant's invention and that of Fuh are 
illustrated in Appellant's dependent claims. For example, Appellant's claim 12 includes 
the following claim limitations: * 

The method of claim 1, wherein said access policy specifies applications that are 
allowed Internet access, 

(Appellant's claim 12) 

As shown above, Appellant's claimed approach involves an access policy which 
specifies particular applications which are allowed Internet access. Appellant's claims 1 1 
and 55 also include similar claim limitations. The Examiner references Fuh at column 7, 
lines 56-58 for the teaching of an access policy specifying applications that are allowed 
Internet access. However, the referenced portion of Fuh reads as follows: 

If theusername is successfully authenticated , then the firewall is dynamically 
configured to open a passageway for the HTTP packets as well as other types of 
network traffic initiated from the user on the client. The other types of network 
traffic that are permitted through the passageway are specified in a user profile for 
that particular user 

(Fuh, coL 7, lines 56-58, emphasis added) 

As described above, Fuh's system receives identity information (e.g., username 
and password) for authenticating a user. After the user's identity is authenticated, Fuh's 
system permits particular types of network traffic initiated bv that particular user which 
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are specified in the user's profile. The Examiner states that Fuh's "user profile" for a 
"particular user'* is equivalent to Appellant's claim limitations of an access policy 
regulating access to the Internet by client computers which specifies applications allowed 
to access the Internet. However, the teachings of Fuh referenced by the Examiner 
indicate that Fuh's system decides whether or not to authenticate a user based on user 
login information and without examination of applications on the client computer. As 
previously described, the user profile (or access privileges) are applied by Fuh's system 
only after the decision about whether to permit access is made (i.e., after the user is 
authenticated). This is not Appellant's claimed approach. Appellant's claimed approach 
provides for determining whether or not to permit Internet access based on compliance 
with an access policy which specifies particular applications which are approved for 
Internet access . Appellant's approach provides for making the decision about whether or 
not to permit access based on the access policy. This is not the same as applying a profile 
or set of privileges to a user after the decision to permit access to the user has been made. 

All told, Fuh's system is distinguishable from that of Appellant on several grounds 
which are specifically included as claim limitations of Appellant's claims 1 and 45 and 
other dependent claims thereof. As described above, Fuh provides no teaching 
comparable to Appellant's claim limitations of an access policy governing Internet access 
by client computers. Significantly, Fuh's firewall router provides for determining whether 
or not to authenticate a user for access to particular network resources based on user login 
information. In contrast, Appellant's invention regulates Internet access based on whether 
or not a client computer attempting Internet access is in compliance with the specified 
access policy. The policy itself may include specific rules governing access (e.g., rules 
specifying particular applications that are approved for Internet access). Such features 
cannot be reproduced with the teachings of Fuh. As Fuh does not teach or suggest all of 
the claim limitations of Appellant's independent claims 1 and 45 (and other dependent 
claims thereof) it is respectfully submitted that the claims distinguish over this reference 
and that the Examiner's rejection under Section 1 02 should not be sustained. 
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B. Rejections under 35 U.S.C. Section 103(a) 

1. General 

Under Section 103(a), a patent may not be obtained if the differences between the 
subject matter sought to be patented and the prior art are such that the subject matter as a 
whole would have been obvious at the time the invention was made to a person having 
ordinary skill in the art to which the subject matter pertains. To establish a prima facie 
case of obviousness under this section, the Examiner must establish: (1) that there is 
some suggestion or motivation, either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art, to modify the reference or to 
combine reference teachings, (2) that there is a reasonable expectation of success, and (3) 
that the prior art reference (or references when combined) must teach or suggest all the 
claim limitations. (See e.g., MPEP 2142), The references cited by the Examiner fail to 
meet these conditions. 

2. Group 11 claims 

The Examiner has rejected claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, and 
58-60 under 35 U.S.C. 103(a) as being obvious over Fuh. It should be noted that the 
Examiner has previously rejected claims 47 and 55 as being anticipated by Fuh under 
Section 102 (Second Office Action, paragraph 2 at page 5 and paragraph 4 at page 5), 
and has also mentioned rejecting these claims as being obvious over Fuh under Section 
103(a) (Second Office Action, paragraph 8 at page 6 and paragraph 12 at page 9). It will 
be assumed that the Examiner meant to reject claims 47 and 55 as anticipated by Fuh 
under Section 102. 

As to the claims of this group rejected as obvious over Fuh, the Examiner 
acknowledges that Fuh does not explicitly disclose elements of these claims, but states 
that the elements not explicitly disclosed in Fuh would have been obvious to one 
ordinarily skilled in the art. The Examinees rejection of Appellant's claims 13-16 as 
follows is representative of the Examiner's rejection of Appellant's claims as obvious over 
Fuh: 
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As per claims 13-16, Fuh et al does not explicitly disclose: application are 
specified by executable name and version number, application are specified by 
digital signatures, digital signatures are computed using a cryptographic hash and 
wherein said cryptographic hash comprises a selected one of Secure Hash 
Algorithm (SHA-1) and MDS cryptographic hashes, however it would have been 
obvious to the one of ordinary skill in the art to use the above specified elements 
because it would have allowed a router to make a correct decision (block or 
permit) by comparing executable names and securely transfer the data to the 
destination. 

(Second Office Action, paragraph 14) 

Claims 2, 7, 1 0, 1 3-1 6, 1 8-19, 20, 47, 52-54, 56, 58-60 are dependent upon 
Appellant's independent claims 1 and 45 and therefore are believed to be allowable for at 
least the reasons cited above pertaining to the deficiencies of Fuh in respect to Appellants 
invention. As described above, Fuh does not teach client premises equipment issuing 
challenges to client computers for determining compliance of such client computers with 
an access policy governing Internet access. The claims are believed to be patentable for 
the following additional reasons. 

Appellant's claim 12 includes limitations providing that an access policy 
governing Internet access by client computers specifies particular applications which are 
approved for Internet access. The limitations of claim 13 further provide that that access 
policy specifies not only those applications approved for Internet access, but also 
specifies particular executable names and version numbers of the applications approved 
for Internet access. The Examiner acknowledges that Fuh does not provide the specific 
teaching of an access policy in which applications approved for Internet access are 
"specified by executable name and version number that are acceptable" as provided in 
Appellant's claim 1 3, but states that "it would have been obvious to the one of ordinary 
skill in the art to use the above specified elements because it would have allowed a router 
to make a correct decision (block or permit) by comparing executable names and securely 
transfer the data to the destination" (Second Office Action, paragraph 8, page 8). 
However, as described above, Fuh teaches that the decision about whether or not to 
permit access is based on user login information (e.g., user name and password). Thus, 
examining the executable name and version number of an application is inconsistent with 
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Fuh's approach as Fuh's system decides whether to authenticate a user and permit access 
on the basis of user login information. Appellant's system, in contrast, makes the 
. decision about whether or not to permit access based on compliance with the access 
policy. The access policy, in turn, may specify executable names and version numbers of 
applications which are allowed Internet access. 

If anything, Fuh*s described approach of making the decision about whether to 
permit access to a particular user based on user login information teaches away from that 
adopted by Appellant. For the reasons stated, it is respectfully submitted that Appellant's 
claims of this group distinguish over the prior art and that the Examiner's rejection under 
Section 1 03 should not be sustained. 

3. Group TTT claims 

The Examiner has rejected claims 22-25, 27-37, 39, 40, and 42-44 under 35 
U.S.C. 103(a) as being obvious over Fuh in view of U.S. Patent No. 5,761,683 to Logan 
et al. (hereinafter "Logan"). In addition, the Examiner has rejected claim 38 in paragraph 
3 1 at page 12 of the Second Office Action; however, the Examiner has not specifically 
included claim 38 in the list of claims rejected as obvious based on Fuh in view of Logan. 
It is assumed that claim 38 is rejected as being obvious over Fuh in view of Logan. 

As to the claims of this group, the Examiner acknowledges that Fuh does not 
explicitly disclose the elements of redirecting a client computer that is not in compliance 
with the access policy to a sandbox server and adds Logan for the teachings of redirecting 
a client computer not in compliance with an access policy to a particular sandbox server 
and displaying particular error message pages on the sandbox server in response to 
communications on particular ports (Second Office Action, paragraph 17, pages 9-10). 

Claims 22-25, 27-37, 38, 39, 40, and 42-44 are believed to be allowable for at 
least the reasons cited above pertaining to the deficiencies of Fuh in respect to Appellants 
invention, As described above, Fuh teaches authenticating a user based on user login 
information and not examining compliance by a client computer with an access policy. 
Logan does not cure the above-described deficiencies of Fuh as it provides no teaching of 
client premises equipment which monitors and enforces compliance by client computers 
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an access policy governing Internet access. Furthermore, Appellant's review of Logan 
finds that it does not include the specific limitations set forth in Appellant's claims of 
redirecting a client determined not to be in compliance with the access policy to a 
"sandbox" server. These limitations are, for example, provided in Appellant's claim 24 as 
follows: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with 
said specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment, for responding to said challenge that has been issued; and 
redirecting a request for Internet access by any client computer that does not 
respond appropriately to said challenge to a sandbox server. 

(Appellant's claim 24, emphasis added) 

The Examiner references Logan at column 19, lines 63-67 for the teaching of 
redirecting a URL request to a remote server and Logan at column 7, lines 41-48 for 
display of an error message to indicate to a user that a request did not succeed. The 
referenced portions of Logan cited by the Examiner simply discuss conventional steps of 
handling requests for remotely stored documents by redirecting certain requests to 
retrieve locally stored copies and sending other requests to a remote web server(s). 
Logan's system provides for returning either the information (e.g., HTML document, 
graphical image, FTP file, or other displayable data) or an error message if the attempt to 
obtain the information does notsucceed (Logan, column 7, lines 41-48). This does not 
teach anything analogous to Appellant's claimed approach of redirecting a client 
computer determined not to be in compliance with the access policy to a particular 
"sandbox server" as provided in Appellant's claims. As the combined references do not 
teach or suggest all of the claim limitations of Appellant's claims, it is respectfully 
submitted that the claims distinguish over these references and that the rejection under 
Section 103 is improper. 
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4. Group IV claims 

The Examiner has rejected claims 26 and 41 under 35 U.S.C 103(a) as being 
obvious over Fuh in view of Logan, further in view of U.S. Patent No. 6,026,440 to 
Shrader et al. (hereinafter "Shrader"), The Examiner acknowledges that Fuh and Logan 
do not explicitly disclose the element of permitting a client computer to elect to access 
the Internet after displaying error messages, but adds Shrader (col. 4, lines 56-57) for the 
teaching of "returning an error message (e.g., Unauthorized) to the browser and 
prompting the user for id and password" (Second Office Action, paragraph 18, page 1 1). 

Claims 26 and 41, which incorporate the limitations of Appellant's independent 
claims, are believed to be allowable for at least the reasons cited above pertaining to the 
deficiencies of Fuh and Logan in respect to Appellants invention. Shrader does not cure 
the above-described deficiencies of Fuh and Logan. The referenced portion of Shrader 
simply provides that a check is made for credentials of a user and, if the user does not 
have appropriate credentials, Shrader*s system returns an error message and requests 
username and password from the user. In other words, Shrader*s system requires the user 
to resubmit the credentials and denies access until the proper credentials are received. 
This does not teach Appellant's claim limitations of client premises equipment which 
evaluates and enforces compliance by client computers with an access policy, nor does it 
provide the specific teaching of Appellant's claims 26 and 41 of permitting a client 
computer not in compliance with the access policy to elect to proceed with Internet access 
notwithstanding the failure to comply with the access policy. As the combined references 
do not teach or suggest all of the limitations of Appellant's claims, it is respectfully 
submitted that these claims distinguish over these references and overcome any rejection* 
under Section 103. 

5. Group V claims 

The Examiner has rejected claim 61 under 35 U.S.C. 103(a) as being obvious over 
Fuh in view of US Patent No. 6,542,933 to Durst, Jr. et al. (hereinafter "Durst"). Claim 
61, is believed to be allowable for at least the reasons cited above pertaining to the 
deficiencies of Fuh in respect to Appellant's invention. Durst does not cure these 

18 
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deficiencies. The referenced portions of Durst simply discuss receiving a URL request at 
an information server and redirecting the request to a content server to receive a content 
file. Durst provides no teaching of issuing challenges for evaluating compliance of a 
client computer with an access policy or for redirecting client computers determined not 
to be in compliance with the access policy to a sandbox server as provided in Appellant's 
claims. As the combined references do not teach or suggest all of the limitations of 
Appellant's claims, it is respectfully submitted that these claims distinguish over these 
references and overcome any rejection under Section 103. 

6. Group VT claims 

The Examiner has rejected claims 62-64 under 35 U.S.C 103(a) as being obvious 
over Fuh in view of Durst, further in view of Shrader. These claims, which incorporate 
the limitations of Appellant's independent claims, are believed to be allowable for at least 
the reasons cited above pertaining to the deficiencies of Fuh, Durst and Shrader in respect 
to Appellant's invention. Further, regarding motivation to combine these references, the 
Examiner glibly states the motivation to be providing "client computers to correct the 
network requests and authenticating again in order to access the Internet after being 
notified by a particular error." Although there is probably always some degree of 
"motivation 11 to generically combine multiple references to produce some sort of better 
result, the Examiner's analysis here appears to be simply conclusory hindsight, not a 
thoughtful analysis of motivation provided by the cited references themselves. To the 
extent that these references provide any sort of motivation to be combined in the manner 
suggested by the Examiner, such motivation cannot be gleaned from the Examinees 
rejection. 

For the reasons stated, it is respectfully submitted that these claims distinguish 
over these references. Therefore, is requested that the Examiner's rejection under Section 
103 not be sustained. 

9. CONCLUSION 

The present invention greatly improves the ease and efficiency of the task of 
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managing Internet access, including preventing access by computers that do not conform 
to a security policy governing types of access permitted, which is currently in force (e.g., 
by a corporate IT department). It is respectfully submitted that the present invention, as 
set forth in the pending claims, sets forth a patentable advance over the art. 

In view of the above, it is respectfully submitted that the Examiner's rejections 
under 35 U.S.C. Sections 102 and 103 should not be sustained. If needed, Appellant's 
undersigned attorney can be reached at 408 884 1507. For the fee due for this Appeal 
Brief, please refer to the attached Fee Transmittal Sheet, This Brief is submitted in 
triplicate. 



Respectfully submitted, 




Difiildly 



Date: September 9, 2005 



John A. Smart; Reg. No. 34,929 
Attorney of Record 



408 884 1507 
815 572 8299 FAX 
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10. APPENDIX OF CLAIMS ON APPEAL 

1. (Original) In a system comprising one or more client computers connected to 
the Internet by client premises equipment serving a routing function for client computers, 
a method for managing internet access based on a specified access policy, the method 
comprising: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with said 
specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 

blocking Internet access for any client computer that does not respond 
appropriately to said challenge. 

2. (Original) The method of claim I , wherein a client computer that does not 
respond at all is blocked from Internet access. 

3. (Original) The method of claim I, wherein a client computer that responds with 
a particular predefined code indicating non-compliance is blocked from Internet access. 

4. (Originat) The method of claim I, wherein a client computer that responds with 
a particular predefined code indicating compliance is permitted Internet access. 

5. (Original) The method of claim I , further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
equipment to transmit a challenge to that particular client computer. 

6. (Original) The method of claim 5, wherein said initial message comprises a 
"client hello" packet, 

7. (Original) The method of claim 1, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

8. (Original) The method of claim 1, wherein said access policy specifies rules 
that govern Internet access by the client computers. 

21 
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9. (Previously presented) The method of claim 8, wherein said step of blocking 
Internet access includes: 

determining whether permitting Internet access for a given client computer would 
violate any of said rules, and 

if permitting such Internet access would violate any of said rules, denying Internet 
access for that client computer. 

10. (Original) The method of claim 1, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof 

11. (Original) The method of claim 1, wherein said access policy specifies which 
applications are allowed Internet access. 

12. (Original) The method of claim 1, wherein said access policy specifies 
applications that are allowed Internet access, 

13. (Original) The method of claim 12, wherein said applications are specified by 
executable name and version number that are acceptable. 

14. (Original) The method of claim 12, wherein said applications are specified by 
digital signatures that are acceptable. 

15. (Original) The method of claim 14 7 wherein said digital signatures are 
computed using a cryptographic hash. 

16. (Original) The method of claim 15 7 wherein said cryptographic hash 
comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic 
hashes. 

17. (Original) The method of claim 1, wherein said access policy specifies Internet 
access activities that are permitted or restricted for applications or versions thereof. 

18. (Original) The method of claim 1, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location. 

19. (Original) The method of claim 18 wherein said remote location comprises a 
centralized location for maintaining said access policy. 

20. (Previously presented) The method of claim 1, wherein said step of blocking 
Internet access includes: 

determining, based on identification of a particular client computer or group 
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thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

21. (Original) The method of claim 1, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

22. (Original) The method of claim 1, further comprising: 

redirecting a client computer that is not in compliance with said access policy to a 
sandbox server; and 

informing such client computer that it is not in compliance with said access 

policy. 

23. (Original) The method of claim 22 further comprising: 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server; and 

displaying particular error message pages on the sandbox server in response to 
communications on particular ports. 

24. (Original) In a system comprising one or more client computers connected to 
the Internet by client premises equipment serving a routing function for client computers, 
a method for managing Internet access based on a specified access policy, the method 
comprising: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with said 
specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 

redirecting a request for Internet access by any client computer that does not 
respond appropriately to said challenge to a sandbox server. 

25. (Original) The method of claim 24, further comprising: 

displaying an error message on the sandbox server to any client computer that 
does not respond appropriately to said challenge. 

26. (Original) The method of claim 25, further comprising: 
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after display of such error message, permitting said client computer to elect to 
access the Internet. 

27. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating non-compliance is redirected to said sandbox 
server. 

28. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating compliance is permitted Internet access. 

29. (Original) The method of claim 24, further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
equipment to transmit a challenge to that particular client computer 

30. (Original) The method of claim 29, wherein said initial message comprises a 
"client hello" packet. 

31. (Original) The method of claim 24, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and redirecting other 
client computers to the sandbox server. 

32. (Original) The method of claim 24, wherein said access policy includes rules 
that arc enforced against selected ones of users, computers, and groups thereof. 

33. (Original) The method of claim 24, wherein said access policy specifies which 
applications are allowed Internet access. 

34. (Original) The method of claim 24, wherein said access policy specifies 
executable names and version number of applications that are allowed Internet access. 

35. (Original) The method of claim 24, wherein said access policy specifies 
Internet access activities that are permitted or restricted for applications or versions 
thereof. 

36. (Original) The method of claim 24, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location, 

37. (Original) The method of claim 36, wherein said remote location comprises a 
centralized location for maintaining said access policy. 

38. (Previously presented) The method of claim 24, wherein said step of 

24 



PAGE 56/85 1 RCVD AT 9/12/2005 6:56:00 PM [Eastern Daylight rime] ■ SVR:USPT0-EFXRF W DNIS:2738300 * CSID:1 815 572 8299 * DURATION (mm-ss):35-02 



Re: SN 09/944,057 From: John A. Smart 1 815 572 8299 



Date: 09/12/2005 Time: 3:55:48 PM 



Page 57 of 88 



redirecting a request for Internet access by a client computer includes: 

determining, based on identification of a particular client computer or group 
thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

39. (Original) The method of claim 24, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

40. (Original) The method of claim 24, further comprising: 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server; and 

displaying particular error messages on the sandbox server in response to 
communications on particular ports. 

41 . (Original) The method of claim 24, further comprising: 

permitting client computers that are not in compliance with particular access 
policies to elect to access the Internet; and 

blocking computers that are not in compliance with other access policies from 
accessing the Internet. 

42. (Original) The method of claim 24, wherein said applications are specified by 
digital signatures which are acceptable. 

43. (Original) The method of claim 42, wherein said digital signatures are 
computed using a cryptographic hash. 

44. (Original) The method of claim 43, wherein said cryptographic hash 
comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic 
hashes. 

45. (Original) A system for regulating Internet access by client computers 
comprising: 

an access policy governing Internet access by said client computers; 

client premises equipment serving a routing function for each client computer to 
be regulated and capable of issuing a challenge to each client computer, for determining 
whether a given client computer is in compliance with said access policy; 
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one or more client computers which can connect to the Internet and at least one of 
which can respond to challenges issued by said client premises equipment; and 

an enforcement module for selectively blocking Internet access to the Internet to 
client computers not in compliance with said access policy, 

46. (Original) The system of claim 45, wherein said client premises equipment 
includes a router. 

47. (Original) The system of claim 45, wherein said access policy is provided at 
each client computer to be regulated. 

48. (Original) The system of claim 45, wherein said enforcement module is 
provided at said client premises equipment. 

49. (Previously presented) The system of claim 45, wherein said at least one client 
computer which can respond to challenges responds with a particular predefined code 
indicating noncompliance with said access policy and is blocked from Internet access. 

50. (Previously presented) The system of claim 45, wherein a client computer that 
responds with a particular predefined code indicating compliance with said access policy 
is permitted Internet access. 

5 1 . (Original) The system of claim 45, wherein at least one of the client computer 
is capable of transmitting an initial message to the client premises equipment before 
receipt of a challenge, for requesting the client premises equipment to transmit a 
challenge to that particular client computer. 

52. (Original) The system of claim 45, wherein said enforcement module is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

53. (Original) The system of claim 45, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

54. (Original) The system of claim 53, wherein said enforcement module is 
capable of determining, based on identification of a particular client computer or group 
thereof, a specific subset of said access policies filtered for that particular client computer 
or group thereof. 

55. (Original) The system of claim 45, wherein said access policy specifies 
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applications that are allowed Internet access. 

56. (Original) The system of claim 55, wherein said applications are specified by 
executable name and version number that are acceptable. 

57. (Original) The system of claim 55, wherein said access policy specifies types 
of activities which applications are allowed to perform or restricted from performing. 

58. (Original) The system of claim 55, wherein said applications are specified by 
digital signatures that are acceptable. 

59. (Original) The system of claim 58, wherein said digital signatures are 
computed using a cryptographic hash. 

60. (Original) The system of claim 59, wherein said cryptographic hash comprises 
a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic hashes. 

61. (Original) The system of claim 45, further comprising: 

a sandbox server to which client computers that are not in compliance with said 
access policy are redirected. 

62. (Original) The system of claim 61, wherein said sandbox server informs non- 
compliant client computers that they are not in compliance with said access policy. 

63. (Original) The system of claim 62, wherein said client computers client 
computers may elect to access the Internet after being informed that they are not in 
compliance with said access policy. 

64. (Original) The system of claim 61, wherein; 

said enforcement module is capable of redirecting a client computer that is not in 
compliance with a particular access policy to a particular port on the sandbox server; and 

said sandbox server is capable of displaying particular error message pages in 
response to communications on particular ports. 
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RECEIVED 

CENTRAL FAX CENTER 
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PATENT 
Docket No. VTV/0003.01 



TN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of: 
Gregor P. Freund et al. 

Serial No.: 09/944,057 

Filed: August 30, 2001 

For: System Providing Internet Access 
Management with Router-based Policy 
Enforcement 

Mail Stop Appeal 
Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Sir: 



BRIEF ON BEHALF OF GREGOR P. FREUND ET AL. 



Examiner: Divecha, Kamal B 
Art Unit: 2151 
APPEAL BRIEF 



This is an appeal from the Final Rejection mailed April 7, 2005, in which 
currently-pending claims 1-64 stand finally rejected. Appellant filed a Notice of Appeal 
on July 1 1, 2005 (as indicated by return of a confirmation postcard marked "OIPE JUL 1 1 
2005"), This brief is submitted in triplicate in support of Appellants appeal. 
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1 . REAL PARTY IN INTEREST 

The real party in interest is assignee Check Point Software Technologies, Inc. 
located at 800 Bridge Parkway, Redwood City, CA 94065. 

2. RELATED APPEALS AND INTERFERENCES 

There are no appeals or interferences known to Appellant, the Appellants legal 
representative, or assignee which will directly affect or be directly affected by or have a 
bearing on the Board's decision in the pending appeal. 

3. STATUS OF CLAIMS 

Claims 1-64 are pending in the subject application and are the subject of this 
appeal. An appendix setting forth the claims involved in the appeal is included as the last 
section of this brief. 

4. STATUS OF AMENDMENTS 

One Amendment has been filed in this case. Appellant mailed an Amendment on 
March 2, 2005, in response to a non-final Office Action dated December 2, 2004. In the 
Amendment, the pending claims were amended in a manner which Appellant believes 
clearly distinguished the claimed invention over the art of record, for overcoming the art 
rejections. In response to the Examiner's Final Rejection dated April 2, 2005, Appellant 
filed a Request for Reconsideration. In response to the Examiner's Advisory Action 
mailed June 23,2005, Appellant filed a Notice of Appeal. Appellant has chosen to forgo 
filing an Amendment After Final which might further limit Appellant's claims, as it is 
believed that further amendments to the claims are not warranted in view of the art. 
Accordingly, no Amendments have been entered in this case after the date of the Final 
Rejection. 

5. SUMMARY OF INVENTION 

Appellant's invention comprises a system providing for a security component on 
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client premises equipment (e.g., a router) to check compliance of a client computer with 
an access policy before permitting the computer to access the Internet (e.g., Appellant's 
specification, page 19, lines 22-27). Appellant's system delegates a portion of the overall 
operation of a security solution to a local piece of client premises equipment which 
enforces compliance by client computers with an access policy governing Internet access 
(e.g., Appellant's specification, page 19, lines 19-27). Every few seconds a security 
component of the present invention on client premises equipment (e.g., Fig. 3 at 310, 
311) sends a communication referred to as a "router challenge" to computers on the local 
network (e.g., Appellant's specification, page 20, lines 23-24; Fig. 3 at 320, 330, 340). 
The router challenge requests a response from the local computers (Appellant's 
specification, page 20, lines 24-25). At the local computers, a client-side security 
component of the present invention prepares and returns a response to the router 
challenge (e.g., Appellant's specification, page 25, lines 19-22, Fig. 3 at 321, 341), The 
responses to the router challenge that are received (if any) are stored in the router 
compliance table (e.g., Appellant's specification, page 21, lines 10-12; Fig. 3 at 3 12). 

Each time the client premises equipment receives a request to connect to the 
Internet from a particular computer, its security component determines evaluates the 
responses in the router compliance table to determine whether or not the particular 
computer properly responded to the most recent router challenge (e.g., Appellant's 
specification, page 21, lines 12-15; Fig. 3 at 31 1, 312). If the computer properly 
responded to the challenge and was determined to be in compliance with the access 
policy, then the security component on the client premises equipment permits the 
computer to access the Internet (e.g., Appellant's specification, page 21, lines 1 5-1 8). 
However, if the computer did not answer the router challenge or responded with 
information indicating that it was not in compliance with the access policy, then it is not 
allowed to connect to the Internet (e.g., Appellant's specification, page 21 , lines 19-26). 
Instead, the non-compliant computer is redirected to a "sandbox" server to address the 
non-compliance (e.g., Appellant's specification, page 21, lines 26-30; Fig. 3 at 3 13, 330, 
360). The non-compliant computer is only permitted to connect to the sandbox server for 
performing a defined set of tasks and all other Internet access by the non-compliant 
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computer is disabled (e.g., Appellant's specification, page 21, lines 28-30). 



6. ISSUES 

The issues presented on appeal are: (1) whether claims 1, 3-6, 8, 1 1, 12, 17, 21, 
45, 46, 47, 48-5 1, 55 and 57 are unpatentable under 35 U.S.C. 102(e) as being anticipated 
by U.S, Patent No. 6,463,474 Bl issued to Fuh et al. (hereinafter "Full"); (2) whether 
claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, and 58-60 are unpatentable under 35 
U.S.C. 1 03(a) as being obvious over Fuh; (3) whether claims 22-25, 27-37, 39, 40, and 
42-44 are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view of U.S. 
Patent No. 5,761 ,683 to Logan et al. (hereinafter "Logan"); (4) whether claims 26 and 41 
are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view of Logan, 
further in view of U.S. Patent No. 6,026,440 to Shrader et al. (hereinafter "Shrader"); (5) 
whether claim 61 is unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in 
view of US Patent No. 6,542,933 to Durst, Jr. et al. (hereinafter "Durst"); and (6) whether 
claims 62-64 are unpatentable under 35 U.S.C. 103(a) as being obvious over Fuh in view 
of Durst, and further in view of Shrader. 

7. GROUPING OF CLAIMS 

For purposes of this appeal, Appellant believes that the following groups of 
claims are separately patentable under Sections 102 and 103. Thus, the claims do not 
stand or fall together with respect to the rejections under Sections 102 and 103 but are 
instead grouped as follows: 



Croup 1: claims 1, 3-6, 8, 11, 12, 17, 21, 45, 46, 47, 48-51, 55 and 57 

Group II: claims 2, 7, 10 3 13-16, 18-19, 20, 47, 52-54, 56, 58-60 

Group HI: claims 22-25, 27-37, 39, 40, and 42-44 

Group IV: claims 26 and 41 

Group V: claim 61 

Group VI: claims 62-64 



5 
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(The reasoning supporting separate patentability of the above groups is set forth in 
detail below, in the Argument section.) 

8. ARGUMENT 

A. Rejection under 35 U.S.C Section 102(e) 

1. General 

Under Section 102, a claim is anticipated only if each and every element as set 
forth in the claim is found, either expressly or inherently described, in the single prior art 
reference. (See, e.g., MPEP Section 2131.) As will be shown below, the reference fails 
to teach each and every element set forth in claim 1 , as well as other claims, and therefore 
fails to establish anticipation of the claimed invention under Section 102. 

2. Group 1 claims 

Claims 1, 3-6, 8, 11, 12, 17, 21, 45, 46, 47, 48-51, 55 and 57 stand rejected under 
35 U.S.C. 102(e) as being anticipated by U.S. Patent No. 6,463,474 Bl issued to Fuh et 
aL (hereinafter "Fuh"). Initially, it should be noted that the Examiner has not included 
claims 9 and 22 in the list of claims rejected as anticipated by Fuh at paragraph 2 at page 
2 of the Office Action mailed April 7, 2005 (hereinafter "Second Office Action"), 
However, it will be assumed that the Examiner meant to include claims 9 and 22 in this 
list of claims rejected as anticipated by Fuh as the Examiner has so indicated at paragraph 
6 at page 6 and at paragraph 2 at page 4 of the Second Office Action, respectively. 

The following rejection of Appellant's claim I by the Examiner is representative 
of the Examiner's rejection of the Appellant's claims of this group as being anticipated by 
Fuh: 

With respect to claim 1, Fuh et al discloses: In a system comprising one or more 
client computers connected to the Internet by client premises equipment serving a 
routing function for client computers (figure 3 item #306, item #2 10, item #216), 
a method for managing Internet access based on a specified access policy (see,, 
abstract), the method comprising: transmitting a challenge from said client 
premises equipment to each client computer (figure 4 item #403), for determining 
whether a given client computer is in compliance with said specified access 

6 
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policy; transmitting a response from at least one client computer back to said 
client premises equipment, for responding to said challenge that has been issued 
(figure 4 item #404); and blocking Internet access for any client computer that 
does not respond appropriately to said challenge (figure 7 A block #707). 

(Second Office Action, paragraph 2, page 2) 

As noted above, a claim is anticipated only if each and every element as set forth 
in the claim is found, either expressly or inherently described, in the single prior art 
reference. As will be shown below, Fuh fails to teach each and every element set forth in 
claims 1 and 45 (as well as other claims) and therefore fails to establish anticipation of 
the claimed invention under Section 102. 

The Examiner equates Full's firewall router which authenticates users with 
Appellant's security system which provides for client premises equipment (e.g., a router) 
to regulate access to the Internet by client computers based on an access policy. At the 
outset, Appellant does not claim to have invented the notion of authenticating a user at a 
router. To be sure, at a high level both Fuh's system and Appellant's invention involve 
routers (or other similar client premises equipment). However, Appellant's claimed 
invention includes specific elements that distinguish it from Fuh's system. As described 
below, Fuh's system decides whether to authenticate a user for access to particular 
resources (e.g., an intranet) based on user login information, while Appellant's security 
system serves a different purpose in enforcing compliance by client computers with an 
access policy governing Internet access by the client computers. In Appellants system, 
for example, the access policy may specify which particular applications are allowed 
Tntemet access, thereby allowing users (including administrators) to block spyware and 
other malware from accessing the Internet from a given client machine (thereby 
preventing the transmission of confidential or sensitive information from the client 
computer (e.g., desktop computer, laptop, or the like) to third party perpetrators on the 
Internet). These and other differences between Appellant's invention and Fuh's system 
become apparent when the elements of Appellant's claims are compared to the specific 
teachings of Fuh cited by the Examiner. 

As a first example, the Examiner references Fuh's abstract for the teaching of "a 
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method for managing Internet access based on a specified access policy" as stated in 
Appellant's claim 1 . However, Fuh's abstract describes a router that intercepts traffic 
from a client directed towards a network resource for purposes of authenticating the client 
(i.e., user) at the router. It does not describe an access policy for managing Internet 
access by client computers. The Examiner also references Fuh at col 6, lines 1-5 for the 
teaching of the comparable element of Appellant's claim 45 of "an access policy 
governing Internet access by client computers". However, this portion of Fuh reads as 
follows: 

...the invention encompasses a computer system for controlling access of a client 
to a network resource using a network device that is logically interposed between 
the client and the network resource, comprising ... creating and storing client 
authorization information at the network device, wherein the client authorization 
information comprises information indicating whether the client is authorized to 
communicate with the network resource and what access privileges the client is 
authorized to have with the network resource . 

(Fuh, col 5 ? line 58 - col. 6, line 5, emphasis added) 

Fuh f s authentication proxy is implemented at a firewall router which protects a 
particular network resource from access by external user(s). Fuh's system is focused on 
protecting this particular resource (e.g., server on an intranet serving a given 
organization). If an external user seeking to access the particular network resource is 
authenticated by Fuh's system, then the system also indicates what access privileges the 
user is authorized to have with the particular network resource. The "access privileges" 
that are given to users by Fuh's system relate to the particular network resource. 

Appellant's access policy, in contrast, relates to Internet access by client 
computers and not to a particular network resource. Another significant difference is that 
Fuh's "access privileges" (or "user profile") are applied to a particular user after the 
decision about whether or not to authenticate the particular user for access to the network 
resource is made (Fuh. coL 7. lines 56-58). This is not Appellant's approach. Appellant's 
access policy is not applied after the decision to permit access is made. Instead, 
A ppellant's system examines compliance with the access policy in making the decision 

8 
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about whether to permit access . For these reasons, Fuh's access privileges are not 
comparable to Appellant's claim element of "managing Internet access based on a 
specified access policy" which governs Internet access by client computers. 

Another major difference between the system of Fuh and that of Appellant is that 
the "challenge" issued hv Fuh's system requests login information for authentication of a 
user . Appellant's invention, in contrast, issues a challenge to a client computer for 
determining whether the client computer is in compliance with the above-described 
access policy governing Internet access by client computers . The Examiner references 
the element 403 at Fig. 4 of Fuh for the teaching of determining whether a client 
computer is in compliance with an access policy. However, the following description of 
this element 403 in the Fuh reference clearly indicates that the purpose of this "challenge" 
is to obtain user login information: 

Referring again to FIG. 7B, after the new authentication cache is created, login 
information is requested from the client, as shown in block 724. For example, 
Authentication Proxy 400 obtains authentication information from User 302 by 
sending a login form to client 306 The login form is an electronic document 
that requests User 302 to enter username and password information- as 

shown by path 403. 

(Fuh, col. 1 1, lines 49-55) 

As illustrated above, Fuh's system is focused on authenticating a user based on 
login information (e.g., username and password), rather than based on compliance of the 
client computer with an access policy governing Internet access. The "challenge" issued 
by Fuh's authentication proxy requests a user to enter a username and password in a login 
form. Fuh's system determines whether or not to permit remote access to particular 
resources (e.g., intranet) based on this user login information. If the login information 
supplied by the user is correct and the authentication process is successful, access is 
permitted and the authentication cache is updated so that subsequent requests can 
authenticate at the firewall router without consulting a separate authentication server 
(Fuh, col. 12, lines 38^7). 

Unlike Fuh's system, A ppellant's invention does not permit or block requests for 

9 
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access based on user login information . Instead, A ppellnnt's system determines 
whether n given client computer is in compliance with the specified access policy 
governing Internet access , if the client computer is not in compliance with the access 
policy, Appellant's invention blocks access to the Internet. These features are specifically 
described in Appellant's claims, including, for example, in Appellant's claim 1 which 
includes the following claim limitations: 

L In a System comprising one or more client computers connected to the Internet 

fry gHwt premi^ sqifipTOm fireryinR a TOting fimction for cliwt computers, a 
method for m&tmginR Tntemst access based ot a spiffed access policy, the 

method comprising; 

transmittals a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance 
with s ai d s pecifi ed a cce s s poli c y; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 
blocking Internet access for anv client computer that does not respond 
annronriatelv to said challenge. 

(Appellant's claim 1 , emphasis added) 

As shown above, Appellant's invention provides for client premises equipment to 
regulate access to the Internet by client computers. The decision about whether to allow 
Internet access by a given computer is based on compliance by the given computer with 
the above-described access policy. This is different than Fuh's approach which teaches 
authenticating a user for access based on login information (e.g., user name and 
password) supplied by the user. 

Another difference between Appellant's approach and that of Fuh is that 
Appellant's system provides for blocking access by the client computer to the Internet, 
while Fuh's system focuses on blocking external access to particular resources (e.g., an 
intranet server). Fuh's system is implemented in a firewall router which provides for 
examining incoming attempts from external sources to access a particular network 
resource (e.g,, server on intranet). Appellant's invention, in contrast, provides for local 
client premises equipment to enforce compliance by client computers with the access 
policy governing Internet access. This is specifically indicated in Appellant's claim I 
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which includes the following claim limitations: 

In a system comprising one or more client computers connected to the Internet by 
client premises equipment serving a routing function for client computers, a 
method for managing Internet access based on a specified access policy, the 
method comprising: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a uiven client computer is in compliance with 
said specified access policy : 

(Appellant's claim 1, emphasis added). 

The Examiner references Fig. 3 ? item 210 and the login arrow 402 shown at Fig. 4 
of Fuh for the corresponding teaching of client premises equipment serving a routing 
function for each client computer to be regulated which issues a challenge to client 
computers. However, Fuh instead describes a firewall router which regulates remote 
access to particular resources (i.e., the intranet 216) as illustrated by the following: 

The firewall router 2 10 is coupled to intranet 216, and an authentication and 
authorization server 218 ("AAA server"). The firewall router 210 controls remote 
access to intranet 216. 

(Fuh, col. 8, lines 25-28, emphasis added) 

As shown at Fig. 2, in Fuh's system the LAN 206 and intranet 216 are located in 
logically distinct regions (Fuh 7 Fig. 2). The LAN 206 is located in a first region 202 and 
the intranet 216 is located in the second region 204, which may be geographically 
separate (Fuh col. 8, lines 14-19). Appellant's invention, in contrast, provides for the 
access policy governing Internet access by client computers to be enforced by client 
premises equipment serving a routing function for the client computers that are being 
regulated, such as a router on the local LAN. If a given client computer is not in 
compliance with the access policy, access to the Internet by the client computer is 
regulated (i.e., selectively blocked). These limitations of client premises equipment 
regulating Internet access by a client computer based on whether the client computer is in 
compliance with an access policy are also recited in Appellant's claim 45, as follows: 

11 
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A system for regulating Internet access bv client computers comprising: 
an access policy governing Internet access by snid client computers : 
client premises equipment serving a routing function for each client computer to 
be regulated and capable of issuing a challenge to each client computer, for 
determining whether a given client computer is in compliance with said 

ar,r.ftss policy; 

an enforcement module for selectively blocking Internet access to the Internet to 
client computers not in compliance with said access policy. 

(Appellant's claim 45, emphasis added) 

Additional distinctions between Appellant's invention and that of Fuh are 
illustrated in Appellant's dependent claims. For example, Appellant's claim 12 includes 
the following claim limitations: 

The method of claim 1, wherein said access policy specifies applications that are 
allowed Internet access, 

(Appellant's claim 12) 

As shown above, Appellant's claimed approach involves an access policy which 
specifies particular applications which are allowed Internet access. Appellant's claims 1 1 
and 55 also include similar claim limitations, The Examiner references Fuh at column 7, 
lines 56-58 for the teaching of an access policy specifying applications that are allowed 
Internet access. However, the referenced portion of Fuh reads as follows: 

If theusemame is successfully authenticated , then the firewall is dynamically 
configured to open a passageway for the HTTP packets as well as other types of 
network traffic initiated from the user on the client. The other types of network 
traffic that are permitted through the passageway are specified in a user profile for 
that particular user . 

(Fuh, col. 7, lines 56-58, emphasis added) 

As described above, Fuh's system receives identity information (e.g., username 
and password) for authenticating a user. After the user's identity is authenticated, Fuh's 
system permits particular types of network traffic initiated bv that particular user which 

12 
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are specified in the user's profile. The Examiner states that Fuh's "user profile" for a 
"particular user" is equivalent to Appellant's claim limitations of an access policy 
regulating access to the Internet by client computers which specifies applications allowed 
to access the Internet. However, the teachings of Fuh referenced by the Examiner 
indicate that Fuh's system decides whether or not to authenticate a user based on user 
login information and without examination of applications on the client computer. As 
previously described, the user profile (or access privileges) are applied by Fuh's system 
only after the decision about whether to permit access is made (i.e., after the user is 
authenticated). This is not Appellant's claimed approach. Appellant's claimed approach 
provides for determining whether or not to permit Internet access based on compliance 
with an access policy which specifies particular applications which are approved for 
Internet access . Appellant's approach provides for making the decision about whether or 
not to permit access based on the access policy. This is not the same as applying a profile 
or set of privileges to a user after the decision to permit access to the user has been made. 

All told, Fuh's system is distinguishable from that of Appellant on several grounds 
which are specifically included as claim limitations of Appellant's claims 1 and 45 and 
other dependent claims thereof As described above, Fuh provides no teaching 
comparable to Apipellant's claim limitations of an access policy governing Internet access 
by client computers. Significantly, Fuh's firewall router provides for determining whether 
or not to authenticate a user for access to particular network resources based on user login 
information. In contrast, Appellant's invention regulates Internet access based on whether 
or not a client computer attempting Internet access is in compliance with the specified 
access policy. The policy itself may include specific rules governing access (e.g., rules 
specifying particular applications that are approved for Internet access). Such features 
cannot be reproduced with the teachings of Fuh. As Fuh does not teach or suggest all of 
the claim limitations of Appellant's independent claims 1 and 45 (and other dependent 
claims thereof) it is respectfully submitted that the claims distinguish over this reference 
and that the Examiner's rejection under Section 102 should not be sustained. 



13 
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B. Rejections under 35 U.S.C. Section 103(a) 

1. General 

Under Section 103(a), a patent may not be obtained if the differences between the 
subject matter sought to be patented and the prior art are such that the subject matter as a 
whole would have been obvious at the time the invention was made to a person having 
ordinary skill in the art to which the subject matter pertains. To establish a prima facie 
case of obviousness under this section, the Examiner must establish: (1) that there is 
some suggestion or motivation, either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art, to modify the reference or to 
combine reference teachings, (2) that there is a reasonable expectation of success, and (3) 
that the prior art reference (or references when combined) must teach or suggest all the 
claim limitations. (See e.g., MPEP 2142), The references cited by the Examiner fail to 
meet these conditions. 

2. Group 11 claims 

The Examiner has rejected claims 2, 7, 10, 13-16, 18-19, 20, 47, 52-54, 56, and 
58-60 under 35 U.S.C. 103(a) as being obvious over Fuh. It should be noted that the 
Examiner has previously rejected claims 47 and 55 as being anticipated by Fuh under 
Section 102 (Second Office Action, paragraph 2 at page 5 and paragraph 4 at page 5), 
and has also mentioned rejecting these claims as being obvious over Fuh under Section 
103(a) (Second Office Action, paragraph 8 at page 6 and paragraph 12 at page 9). it will 
be assumed that the Examiner meant to reject claims 47 and 55 as anticipated by Fuh 
under Section 102. 

As to the claims of this group rejected as obvious over Fuh, the Examiner 
acknowledges that Fuh does not explicitly disclose elements of these claims, but states 
that the elements not explicitly disclosed in Fuh would have been obvious to one 
ordinarily skilled in the art. The Examiner's rejection of Appellant's claims 13-16 as 
follows is representative of the Examiner's rejection of Appellant's claims as obvious over 
Fuh: 
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As per claims 13-16, Fuh et al does not explicitly disclose: application are 
specified by executable name and version number, application are specified by 
digital signatures, digital signatures are computed using a cryptographic hash and 
wherein said cryptographic hash comprises a selected one of Secure Hash 
Algorithm (SHA-1) and MDS cryptographic hashes, however it would have been 
obvious to the one of ordinary skill in the art to use the above specified elements 
because it would have allowed a router to make a correct decision (block or 
permit) by comparing executable names and securely transfer the data to the 
destination. 

(Second Office Action, paragraph 14) 

Claims 2, 7, 1 0, 13-1 6, 1 8-19, 20, 47, 52-54, 56, 58-60 are dependent upon 
Appellant's independent claims 1 and 45 and therefore are believed to be allowable for at 
least the reasons cited above pertaining to the deficiencies of Fuh in respect to Appellant's 
invention. As described above, Fuh does not teach client premises equipment issuing 
challenges to client computers for determining compliance of such client computers with 
an access policy governing Internet access. The claims are believed to be patentable for 
the following additional reasons. 

Appellant's claim 12 includes limitations providing that an access policy 
governing Internet access by client computers specifies particular applications which are 
approved for Internet access. The limitations of claim 13 further provide that that access 
policy specifies not only those applications approved for Internet access, but also 
specifies particular executable names and version numbers of the applications approved 
for Internet access. The Examiner acknowledges that Fuh does not provide the specific 
teaching of an access policy in which applications approved for Internet access are 
"specified by executable name and version number that are acceptable" as provided in 
Appellant's claim 13, but states that "it would have been obvious to the one of ordinary 
skill in the art to use the above specified elements because it would have allowed a router 
to make a correct decision (block or permit) by comparing executable names and securely 
transfer the data to the destination" (Second Office Action, paragraph 8, page 8). 
However, as described above, Fuh teaches that the decision about whether or not to 
permit access is based on user login information (e.g., user name and password). Thus, 
examining the executable name and version number of an application is inconsistent with 

15 
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Fuh's approach as Fuh's system decides whether to authenticate a user and permit access 
on the basis of user login information. Appellant's system, in contrast, makes the 
decision about whether or not to permit access based on compliance with the access 
policy. The access policy, in turn, may specify executable names and version numbers of 
applications which are allowed Internet access. 

If anything, Fuh's described approach of making the decision about whether to 
permit access to a particular user based on user login information teaches away from that 
adopted by Appellant, For the reasons stated, it is respectfully submitted that Appellant's 
claims of this group distinguish over the prior art and that the Examiner's rejection under 
Section 103 should not be sustained. 

3. Group TTT claims 

The Examiner has rejected claims 22-25, 27-37, 39, 40, and 42-44 under 35 
U.S.C. 1 03(a) as being obvious over Fuh in view of U.S. Patent No. 5,761 ,683 to Logan 
et al. (hereinafter "Logan"). In addition, the Examiner has rejected claim 38 in paragraph 
3 1 at page 12 of the Second Office Action; however, the Examiner has not specifically 
included claim 38 in the list of claims rejected as obvious based on Fuh in view of Logan. 
It is assumed that claim 38 is rejected as being obvious over Fuh in view of Logan. 

As to the claims of this group, the Examiner acknowledges that Fuh does not 
explicitly disclose the elements of redirecting a client computer that is not in compliance 
with the access policy to a sandbox server and adds Logan for the teachings of redirecting 
a client computer not in compliance with an access policy to a particular sandbox server 
and displaying particular error message pages on the sandbox server in response to 
communications on particular ports (Second Office Action, paragraph 17, pages 9-10). 

Claims 22-25, 27-37, 38, 39, 40, and 42^4 are believed to be allowable for at 
least the reasons cited above pertaining to the deficiencies of Fuh in respect to Appellant's 
invention, As described above, Fuh teaches authenticating a user based on user login 
information and not examining compliance by a client computer with an access policy. 
Logan does not cure the above-described deficiencies of Fuh as it provides no teaching of 
client premises equipment which monitors and enforces compliance by client computers 
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an access policy governing Internet access. Furthermore, Appellant's review of Logan 
finds that it does not include the specific limitations set forth in Appellant's claims of 
redirecting a client determined not to be in compliance with the access policy to a 
"sandbox" server, These limitations are, for example, provided in Appellant's claim 24 as 
follows: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with 
said specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment, for responding to said challenge that has been issued; and 
redirecting a request for Internet access by any client computer that does not 
respond appropri a tely to s ai d challen ge to a s an d box s erv er, 

(Appellant's claim 24, emphasis added) 

The Examiner references Logan at column 19, lines 63-67 for the teaching of 
redirecting a URL request to a remote server and Logan at column 7, lines 41-48 for 
display of an error message to indicate to a user that a request did not succeed. The 
referenced portions of Logan cited by the Examiner simply discuss conventional steps of 
handling requests for remotely stored documents by redirecting certain requests to 
retrieve locally stored copies and sending other requests to a remote web server(s). 
Logan's system provides for returning either the information (e.g., HTML document, 
graphical image, FTP file, or other displayable data) or an error message if the attempt to 
obtain the information does not succeed (Logan, column 7, lines 41 -48). This does not 
teach anything analogous to Appellant's claimed approach of redirecting a client 
computer determined not to be in compliance with the access policy to a particular 
"sandbox server" as provided in Appellant's claims. As the combined references do not 
teach or suggest all of the claim limitations of Appellant's claims, it is respectfully 
submitted that the claims distinguish over these references and that the rejection under 
Section 103 is improper, 
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4. Group IV claims 

The Examiner has rejected claims 26 and 41 under 35 U.S.C. 103(a) as being 
obvious over Fuh in view of Logan, further in view of U.S. Patent No. 6,026,440 to 
Shrader et al. (hereinafter "Shrader"), The Examiner acknowledges that Fuh and Logan 
do not explicitly disclose the element of permitting a client computer to elect to access 
the Internet after displaying error messages, but adds Shrader (col. 4, lines 56-57) for the 
teaching of "returning an error message (e.g., Unauthorized) to the browser and 
prompting the user for id and password" (Second Office Action, paragraph 1 8, page 1 1), 

Claims 26 and 41, which incorporate the limitations of Appellant's independent 
claims, are believed to be allowable for at least the reasons cited above pertaining to the 
deficiencies of Fuh and Logan in respect to Appellant's invention. Shrader does not cure 
the above-described deficiencies of Fuh and Logan. The referenced portion of Shrader 
simply provides that a check is made for credentials of a user and, if the user does not 
have appropriate credentials, Shrader's system returns an error message and requests 
username and password from the user In other words, Shrader's system requires the user 
to resubmit the credentials and denies access until the proper credentials are received. 
This does not teach Appellant's claim limitations of client premises equipment which 
evaluates and enforces compliance by client computers with an access policy, nor does it 
provide the specific teaching of Appellant's claims 26 and 41 of permitting a client 
computer not in compliance with the access policy to elect to proceed with Internet access 
notwithstanding the failure to comply with the access policy. As the combined references 
do not teach or suggest all of the limitations of Appellant's claims, it is respectfully 
submitted that these claims distinguish over these references and overcome any rejection 
under Section 103. 

5. Group V claims 

The Examiner has rejected claim 61 under 35 U.S.C. 103(a) as being obvious over 
Fuh in view of US Patent No. 6,542,933 to Durst, Jr. et al. (hereinafter "Durst"). Claim 
61, is believed to be allowable for at least the reasons cited above pertaining to the 
deficiencies of Fuh in respect to Appellant's invention. Durst does not cure these 
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deficiencies. The referenced portions of Durst simply discuss receiving a URL request at 
an information server and redirecting the request to a content server to receive a content 
file. Durst provides no teaching of issuing challenges for evaluating compliance of a 
client computer with an access policy or for redirecting client computers determined not 
to be in compliance with the access policy to a sandbox server as provided in Appellant's 
claims. As the combined references do not teach or suggest all of the limitations of 
Appellant's claims, it is respectfully submitted that these claims distinguish over these 
references and overcome any rejection under Section 1 03. 

6. Group VT claims 

The Examiner has rejected claims 62-64 under 35 U.S.C. 103(a) as being obvious 
over Fuh in view of Durst, further in view of Shrader, These claims, which incorporate 
the limitations of Appellant's independent claims, are believed to be allowable for at least 
the reasons cited above pertaining to the deficiencies of Fuh, Durst and Shrader in respect 
to Appellant's invention. Further, regarding motivation to combine these references, the 
Examiner glibly states the motivation to be providing "client computers to correct the 
network requests and authenticating again in order to access the Internet after being 
notified by a particular error." Although there is probably always some degree of 
"motivation" to generically combine multiple references to produce some sort of better 
result, the Examiner's analysis here appears to be simply conclusory hindsight, not a 
thoughtful analysis of motivation provided by the cited references themselves. To the 
extent that these references provide any sort of motivation to be combined in the manner 
suggested by the Examiner, such motivation cannot be gleaned from the Examiner's 
rejection. 

For the reasons stated, it is respectfully submitted that these claims distinguish 
over these references. Therefore, is requested that the Examiner's rejection under Section 
103 not be sustained. 

9. CONCLUSION 

The present invention greatly improves the ease and efficiency of the task of 
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managing Internet access, including preventing access by computers that do not conform 
to a security policy governing types of access permitted, which is currently in force (e.g., 
by a corporate IT department). It is respectfully submitted that the present invention, as 
set forth in the pending claims, sets forth a patentable advance over the art. 

In view of the above, it is respectfully submitted that the Examiner's rejections 
under 35 U.S.C. Sections 102 and 103 should not be sustained. If needed, Appellant's 
undersigned attorney can be reached at 408 884 1507. For the fee due for this Appeal 
Brief, please refer to the attached Fee Transmittal Sheet. This Brief is submitted in 
triplicate. 



Respectfully submitted, 




Digitally 
nffpitul by 



Date: September 9, 2005 



John A. Smart; Reg. No. 34,929 
Attorney of Record 



408 884 1507 
815 572 8299 FAX 
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10. APPENDIX OF CLAIMS ON APPEAL 

1. (Original) In a system comprising one or more client computers connected to 
the Internet by client premises equipment serving a routing function for client computers, 
a method for managing Internet access based on a specified access policy, the method 
comprising; 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with said 
specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 

blocking Internet access for any client computer that does not respond 
appropriately to said challenge. 

2. (Original) The method of claim l f wherein a client computer that does not 
respond at all is blocked from Internet access. 

3. (Original) The method of claim I, wherein a client computer that responds with 
a particular predefined code indicating non-compliance is blocked from Internet access. 

4. (Original) The method of claim I, wherein a client computer that responds with 
a particular predefined code indicating compliance is permitted Internet access. 

5. (Original) The method of claim I, further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
equipment to transmit a challenge to that particular client computer. 

6. (Original) The method of claim 5, wherein said initial message comprises a 
"client hello" packet. 

7. (Original) The method of claim 1, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

8. (Original) The method of claim 1, wherein said access policy specifies rules 
that govern Internet access by the client computers. 
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9. (Previously presented) The method of claim 8, wherein said step of blocking 
Internet access includes: 

determining whether permitting Internet access for a given client computer would 
violate any of said rules, and 

if permitting such Internet access would violate any of said rules, denying Internet 
access for that client computer. 

10. (Original) The method of claim 1, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof 

11. (Original) The method of claim 1, wherein said access policy specifies which 
applications are allowed Tntemet access. 

12. (Original) The method of claim 1, wherein said access policy specifies 
applications that are allowed Internet access. 

13. (Original) The method of claim 12, wherein said applications are specified by 
executable name and version number that are acceptable. 

14. (Original) The method of claim 12 3 wherein said applications are specified by 
digital signatures that are acceptable. 

15. (Original) The method of claim 14 7 wherein said digital signatures are 
computed using a cryptographic hash. 

16. (Original) The method of claim 15^ wherein said cryptographic hash 
comprises a selected one of Secure Hash Algorithm (SHA-1) and MD5 cryptographic 
hashes. 

17. (Original) The method of claim 1, wherein said access policy specifies Internet 
access activities that are permitted or restricted for applications or versions thereof 

18. (Original) The method of claim 1, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location. 

19. (Original) The method of claim 18 wherein said remote location comprises a 
centralized location for maintaining said access policy. 

20. (Previously presented) The method of claim 1, wherein said step of blocking 
Internet access includes: 

determining, based on identification of a particular client computer or group 
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thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

21 . (Original) The method of claim 1, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

22. (Original) The method of claim 1, further comprising: 

redirecting a client computer that is not in compliance with said access policy to a 
sandbox server; and 

informing such client computer that it is not in compliance with said access 

policy. 

23. (Original) The method of claim 22 further comprising; 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server, and 

displaying particular error message pages on the sandbox server in response to 
communications on particular ports. 

24. (Original) In a system comprising one or more client computers connected to 
the Internet by client premises equipment serving a routing function for client computers, 
a method for managing Internet access based on a specified access policy, the method 
comprising: 

transmitting a challenge from said client premises equipment to each client 
computer, for determining whether a given client computer is in compliance with said 
specified access policy; 

transmitting a response from at least one client computer back to said client 
premises equipment for responding to said challenge that has been issued; and 

redirecting a request for Internet access by any client computer that does not 
respond appropriately to said challenge to a sandbox server. 

25. (Original) The method of claim 24, further comprising; 

displaying an error message on the sandbox server to any client computer that 
does not respond appropriately to said challenge. 

26. (Original) The method of claim 25, further comprising: 
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after display of such error message, permitting said client computer to elect to 
access the Internet. 

27. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating non-compliance is redirected to said sandbox 
server. 

28. (Original) The method of claim 24, wherein a client computer that responds 
with a particular predefined code indicating compliance is permitted Internet access. 

29. (Original) The method of claim 24, further comprising: 

before receipt of a challenge, transmitting an initial message from a particular 
client computer to the client premises equipment, for requesting the client premises 
equipment to transmit a challenge to that particular client computer. 

30. (Original) The method of claim 29, wherein said initial message comprises a 
"client hello" packet. 

3 1 . (Original) The method of claim 24, wherein said client premises equipment is 
capable of permitting Internet access by selected client computers and redirecting other 
client computers to the sandbox server. 

32. (Original) The method of claim 24, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

33. (Original) The method of claim 24 7 wherein said access policy specifies which 
applications are allowed Internet access. 

34. (Original) The method of claim 24, wherein said access policy specifies 
executable names and version number of applications that are allowed Internet access. 

35. (Original) The method of claim 24, wherein said access policy specifies 
Internet access activities that are permitted or restricted for applications or versions 
thereof. 

36. (Original) The method of claim 24, wherein said access policy specifies rules 
that are transmitted to client computers from a remote location, 

37. (Original) The method of claim 36, wherein said remote location comprises a 
centralized location for maintaining said access policy. 

38. (Previously presented) The methodof claim 24, wherein said step of 
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redirecting a request for Internet access by a client computer includes: 

determining, based on identification of a particular client computer or group 
thereof, a specific subset of rules filtered for that particular client computer or group 
thereof. 

39. (Original) The method of claim 24, wherein said challenge includes a request 
for a particular client computer to respond as to whether it is in compliance with said 
access policy. 

40. (Original) The method of claim 24, further comprising: 

redirecting a client computer that is not in compliance with a particular access 
policy, to a particular port on the sandbox server; and 

displaying particular error messages on the sandbox server in response to 
communications on particular ports. 

41. (Original) The method of claim 24, further comprising; 

permitting client computers that are not in compliance with particular access 
policies to elect to access the Internet; and 

blocking computers that are not in compliance with other access policies from 
accessing the Internet. 

42. (Original) The method of claim 24, wherein said applications are specified by 
digital signatures which are acceptable. 

43. (Original) The method of claim 42, wherein said digital signatures are 
computed using a cryptographic hash. 

44. (Original) The method of claim 43, wherein said cryptographic hash 
comprises a selected one of Secure Ha&h Algorithm (SHA-T) and MD5 cryptographic 
hashes. 

45. (Original) A system for regulating Internet access by client computers 
comprising: 

an access policy governing Internet access by said client computers; 

client premises equipment serving a routing function for each client computer to 
be regulated and capable of issuing a challenge to each client computer, for determining 
whether a given client computer is in compliance with said access policy; 
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one or more client computers which can connect to the Internet and at least one of 
which can respond to challenges issued by said client premises equipment; and 

an enforcement module for selectively blocking Internet access to the Internet to 
client computers not in compliance with said access policy. 

46. (Original) The system of claim 45, wherein said client premises equipment 
includes a router. 

47. (Original) The system of claim 45, wherein said access policy is provided at 
each client computer to be regulated. 

48. (Original) The system of claim 45, wherein said enforcement module is 
provided at said client premises equipment, 

49. (Previously presented) The system of claim 45, wherein said at least one client 
computer which can respond to challenges responds with a particular predefined code 
indicating noncompliance with said access policy and is blocked from Internet access. 

50. (Previously presented) The system of claim 45, wherein a client computer that 
responds with a particular predefined code indicating compliance with said access policy 
is permitted Internet access. 

51 . (Original) The system of claim 45, wherein at least one of the client computer 
is capable of transmitting an initial message to the client premises equipment before 
receipt of a challenge, for requesting the client premises equipment to transmit a 
challenge to that particular client computer. 

52. (Original) The system of claim 45, wherein said enforcement module is 
capable of permitting Internet access by selected client computers and denying access to 
other client computers. 

53. (Original) The system of claim 45, wherein said access policy includes rules 
that are enforced against selected ones of users, computers, and groups thereof. 

54. (Original) The system of claim 53, wherein said enforcement module is 
capable of determining, based on identification of a particular client computer or group 
thereof, a specific subset of said access policies filtered for that particular client computer 
or group thereof. 

55. (Original) The svstem of claim 45, wherein said access oolicv soecifies 



